diff --git a/rules/cross-platform/command_and_control_common_llm_endpoint.toml b/rules/cross-platform/command_and_control_common_llm_endpoint.toml index 8614a7cea40..b15f7f8f511 100644 --- a/rules/cross-platform/command_and_control_common_llm_endpoint.toml +++ b/rules/cross-platform/command_and_control_common_llm_endpoint.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] @@ -150,16 +150,18 @@ network where host.os.type in ("macos", "windows") and dns.question.name != null [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" - +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - - diff --git a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml index 5ba4932123d..f8c152baafe 100644 --- a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml +++ b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,17 +123,22 @@ process.parent.name in ("node", "bun", "node.exe", "bun.exe") and ( [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" - - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml index b508ee3bf19..235c22f4eb0 100644 --- a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml +++ b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/19" integration = ["endpoint", "system"] maturity = "production" -updated_date = "2025/02/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,14 +89,23 @@ Google Drive is a widely-used cloud storage service that allows users to store a [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + +[[rule.threat.technique.subtechnique]] +id = "T1102.003" +name = "One-Way Communication" +reference = "https://attack.mitre.org/techniques/T1102/003/" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml index 4ed6298ead7..ba94e8a181e 100644 --- a/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_pan_elastic_defend_c2.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/18" integration = ["endpoint", "panw"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -70,6 +70,11 @@ note = """## Triage and analysis [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index 0ca53756373..46c2d36826f 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/10" integration = ["endpoint", "suricata"] maturity = "production" -updated_date = "2026/01/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,7 +76,30 @@ note = """## Triage and analysis [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/cross-platform/command_and_control_tunnel_qemu.toml b/rules/cross-platform/command_and_control_tunnel_qemu.toml index 6a3c887e279..6441d002cd9 100644 --- a/rules/cross-platform/command_and_control_tunnel_qemu.toml +++ b/rules/cross-platform/command_and_control_tunnel_qemu.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/09" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,14 +95,23 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" +[[rule.threat.technique]] +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml index 70427bd61ba..ad9183c5d49 100644 --- a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml +++ b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -139,26 +139,54 @@ file where event.action in ("open", "creation", "modification") and event.outcom [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1005" name = "Data from Local System" reference = "https://attack.mitre.org/techniques/T1005/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/cross-platform/credential_access_gitleaks_execution.toml b/rules/cross-platform/credential_access_gitleaks_execution.toml index f4efcf94595..4ae8155c9ca 100644 --- a/rules/cross-platform/credential_access_gitleaks_execution.toml +++ b/rules/cross-platform/credential_access_gitleaks_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/28" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,6 +103,16 @@ id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" @@ -112,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1555/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/cross-platform/credential_access_trufflehog_execution.toml b/rules/cross-platform/credential_access_trufflehog_execution.toml index b6faa0d1aee..334251a1f29 100644 --- a/rules/cross-platform/credential_access_trufflehog_execution.toml +++ b/rules/cross-platform/credential_access_trufflehog_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,6 +105,16 @@ id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" @@ -114,3 +124,16 @@ reference = "https://attack.mitre.org/techniques/T1555/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index 84468fac2f7..28fd5a021e7 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,15 +73,31 @@ In network environments, agents are deployed on hosts to monitor and report acti [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.002" +name = "Transmitted Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/002/" +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 150a6573e2d..a1863190075 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,14 +86,18 @@ file where event.type == "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index 2a258446202..75b91f559df 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,16 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml b/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml index a33eb01577e..2992c160598 100644 --- a/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml +++ b/rules/cross-platform/defense_evasion_encoding_rot13_python_script.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/17" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,22 +81,41 @@ ROT encoding, a simple letter substitution cipher, is often used to obfuscate Py [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1140" -name = "Deobfuscate/Decode Files or Information" -reference = "https://attack.mitre.org/techniques/T1140/" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.013" name = "Encrypted/Encoded File" reference = "https://attack.mitre.org/techniques/T1027/013/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/defense_evasion_genai_config_modification.toml b/rules/cross-platform/defense_evasion_genai_config_modification.toml index 812702a98d9..cf95d5c68b5 100644 --- a/rules/cross-platform/defense_evasion_genai_config_modification.toml +++ b/rules/cross-platform/defense_evasion_genai_config_modification.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,29 +104,39 @@ file.path : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml b/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml index 20e0c1c6df0..77ad5e0a025 100644 --- a/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml +++ b/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "auditd_manager"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -140,19 +140,36 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1587" +name = "Develop Capabilities" +reference = "https://attack.mitre.org/techniques/T1587/" + +[[rule.threat.technique.subtechnique]] +id = "T1587.001" +name = "Malware" +reference = "https://attack.mitre.org/techniques/T1587/001/" + +[rule.threat.tactic] +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" diff --git a/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml b/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml index 1f8053d9767..5a7e264fdc9 100644 --- a/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml +++ b/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -159,14 +159,49 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1560" +name = "Archive Collected Data" +reference = "https://attack.mitre.org/techniques/T1560/" + +[[rule.threat.technique.subtechnique]] +id = "T1560.001" +name = "Archive via Utility" +reference = "https://attack.mitre.org/techniques/T1560/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1560.002" +name = "Archive via Library" +reference = "https://attack.mitre.org/techniques/T1560/002/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1030" +name = "Data Transfer Size Limits" +reference = "https://attack.mitre.org/techniques/T1030/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml index b548ad93348..97c4cbd7997 100644 --- a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml +++ b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml @@ -2,7 +2,7 @@ creation_date = "2022/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,3 +106,21 @@ reference = "https://attack.mitre.org/techniques/T1036/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml index 31b65ceebca..136a5eee241 100644 --- a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml +++ b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/30" integration = ["endpoint", "system", "windows", "auditd_manager", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,34 +96,40 @@ FROM logs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index c6e250f6b81..e2a495f937b 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,14 +89,31 @@ Virtual machine fingerprinting involves identifying virtualized environments by [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml index 2f85b8138b9..af00648718c 100644 --- a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml +++ b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml @@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -172,3 +172,47 @@ reference = "https://attack.mitre.org/techniques/T1083/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml index 8ea0b32ead0..ad5487a6d5d 100644 --- a/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml +++ b/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml @@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,3 +133,16 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml b/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml index 8934cb47811..59a2cdf4883 100644 --- a/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml +++ b/rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/23" integration = ["aws", "endpoint"] maturity = "production" -updated_date = "2025/11/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -225,26 +225,36 @@ FROM logs-aws.cloudtrail*, logs-endpoint.events.process-* METADATA _id, _version [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1651" name = "Cloud Administration Command" reference = "https://attack.mitre.org/techniques/T1651/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml b/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml index bc38184ca9b..42fff8466dd 100644 --- a/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml +++ b/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/03" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -145,17 +145,31 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1651" name = "Cloud Administration Command" reference = "https://attack.mitre.org/techniques/T1651/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml b/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml index 13d278cd24c..807903bc590 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_direct_interactive_kubernetes_api_request_by_usual_utilities.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,6 +121,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml b/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml index 211a1183c0f..25b20279397 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_forbidden_direct_interactive_kubernetes_api_request.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,6 +125,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml b/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml index 652be9cb05b..67741370170 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_kubernetes_api_activity_by_unusual_utilities.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -145,6 +145,16 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -153,6 +163,16 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" diff --git a/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml b/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml index 95229fe817d..fc91b794a16 100644 --- a/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml +++ b/rules/cross-platform/execution_d4c_k8s_mda_service_account_token_access_followed_by_kubernetes_api_request.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend", "kubernetes"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,6 +108,11 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" @@ -135,3 +140,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml b/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml index 0074a431b39..314d1926cab 100644 --- a/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml +++ b/rules/cross-platform/execution_git_exploit_cve_2025_48384.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/12" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/11/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,12 +88,35 @@ sequence by host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - name = "Exploitation for Client Execution" - id = "T1203" - reference = "https://attack.mitre.org/techniques/T1203/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml b/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml index 13869c98f9b..22754b0113e 100644 --- a/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml +++ b/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,6 +83,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" @@ -123,3 +128,21 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" + +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/execution_openclaw_agent_child_process.toml b/rules/cross-platform/execution_openclaw_agent_child_process.toml index 919bf598224..c2a5536ac48 100644 --- a/rules/cross-platform/execution_openclaw_agent_child_process.toml +++ b/rules/cross-platform/execution_openclaw_agent_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,36 +83,89 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml b/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml index 4a04cf04a54..9fecc9c12b1 100644 --- a/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml +++ b/rules/cross-platform/execution_privileged_container_creation_with_host_reference.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/27" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/11/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,6 +127,11 @@ id = "T1609" name = "Container Administration Command" reference = "https://attack.mitre.org/techniques/T1609/" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/cross-platform/execution_register_github_actions_runner.toml b/rules/cross-platform/execution_register_github_actions_runner.toml index bd5c534de51..bd45fce941d 100644 --- a/rules/cross-platform/execution_register_github_actions_runner.toml +++ b/rules/cross-platform/execution_register_github_actions_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,32 +95,44 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1219" +name = "Remote Access Tools" +reference = "https://attack.mitre.org/techniques/T1219/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index 62a96f31eb4..2ddadb560c6 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,14 +89,26 @@ process where event.type in ("start", "process_started") and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml b/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml index a9a731ace09..1028f94f30a 100644 --- a/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml +++ b/rules/cross-platform/execution_sap_netweaver_jsp_webshell.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -67,24 +67,41 @@ note = """## Triage and analysis [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml b/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml index ac4891f7ad4..d2189e589d5 100644 --- a/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml +++ b/rules/cross-platform/execution_sap_netweaver_webshell_exec.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,24 +84,74 @@ note = """## Triage and analysis [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index 8ca0cdb5a1f..4cbccabc4c9 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,24 +109,46 @@ Java Naming and Directory Interface (JNDI) is a Java API that provides naming an [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/execution_via_github_actions_runner.toml b/rules/cross-platform/execution_via_github_actions_runner.toml index 08782e87f48..c82405b97e9 100644 --- a/rules/cross-platform/execution_via_github_actions_runner.toml +++ b/rules/cross-platform/execution_via_github_actions_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,32 +99,79 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml b/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml index ebd0cb49ce7..f2c133d735b 100644 --- a/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml +++ b/rules/cross-platform/execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,49 +115,58 @@ not process.env_vars like~ "RUNNER_TRACKING_ID=github_*" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Initial Access" - id = "TA0001" - reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" - [[rule.threat.technique]] - name = "Supply Chain Compromise" - id = "T1195" - reference = "https://attack.mitre.org/techniques/T1195/" - - [[rule.threat.technique.subtechnique]] - name = "Compromise Software Dependencies and Development Tools" - id = "T1195.001" - reference = "https://attack.mitre.org/techniques/T1195/001/" +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat.technique]] - name = "Impair Defenses" - id = "T1562" - reference = "https://attack.mitre.org/techniques/T1562/" - - [[rule.threat.technique.subtechnique]] - name = "Disable or Modify Tools" - id = "T1562.001" - reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.009" +name = "Break Process Trees" +reference = "https://attack.mitre.org/techniques/T1036/009/" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml b/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml index bfb7916cda2..407eeea5e48 100644 --- a/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml +++ b/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint", "windows", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,3 +127,77 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml b/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml index dbee870beb8..17b33e323b3 100644 --- a/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml +++ b/rules/cross-platform/initial_access_exfiltration_new_usb_device_mounted.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Device mount events were added as part of the Elastic Defend Device Control feature." min_stack_version = "9.2.0" -updated_date = "2025/11/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,34 +81,47 @@ host.os.type:(macos or windows) and event.type:device and event.action:mount and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1091" name = "Replication Through Removable Media" reference = "https://attack.mitre.org/techniques/T1091/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" + [[rule.threat.technique.subtechnique]] id = "T1052.001" name = "Exfiltration over USB" reference = "https://attack.mitre.org/techniques/T1052/001/" - - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1091" +name = "Replication Through Removable Media" +reference = "https://attack.mitre.org/techniques/T1091/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["device.serial_number", "host.id"] diff --git a/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml b/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml index b2c14258864..9d7045d8171 100644 --- a/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml +++ b/rules/cross-platform/initial_access_file_upload_followed_by_get_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/27" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/12/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -143,3 +143,16 @@ reference = "https://attack.mitre.org/techniques/T1505/003/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/cross-platform/initial_access_ollama_api_external_access.toml b/rules/cross-platform/initial_access_ollama_api_external_access.toml index 4a059992f9c..7692634d9c0 100644 --- a/rules/cross-platform/initial_access_ollama_api_external_access.toml +++ b/rules/cross-platform/initial_access_ollama_api_external_access.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,14 +89,18 @@ network where event.action == "connection_accepted" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index 6772035224b..8227fb80b3e 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/14" maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,14 +72,18 @@ Zoom meetings without passcodes are vulnerable to unauthorized access, known as [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/cross-platform/persistence_web_server_potential_command_injection.toml b/rules/cross-platform/persistence_web_server_potential_command_injection.toml index e71c50e44c1..0e14d3d4a48 100644 --- a/rules/cross-platform/persistence_web_server_potential_command_injection.toml +++ b/rules/cross-platform/persistence_web_server_potential_command_injection.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -185,6 +185,16 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -198,6 +208,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -225,3 +240,57 @@ reference = "https://attack.mitre.org/techniques/T1595/003/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 1aa962b8f7f..5fab4d49a8f 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,19 +72,36 @@ The sudoers file is crucial in Unix-like systems, defining user permissions for [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 0c3fbef2c2e..24e3f7af143 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,3 +111,21 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index 895ef2afa05..204aea801c8 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -2,7 +2,7 @@ creation_date = "2021/02/03" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,17 +88,26 @@ Sudo is a critical utility in Unix-like systems, allowing users to execute comma [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.threshold] field = ["host.hostname"] value = 100 diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index 042c1dd3d5c..817a6c34543 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/13" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,3 +96,21 @@ reference = "https://attack.mitre.org/techniques/T1548/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/cross-platform/privilege_escalation_trap_execution.toml b/rules/cross-platform/privilege_escalation_trap_execution.toml index d94587dd5b0..64bf0260da2 100644 --- a/rules/cross-platform/privilege_escalation_trap_execution.toml +++ b/rules/cross-platform/privilege_escalation_trap_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,3 +84,21 @@ reference = "https://attack.mitre.org/techniques/T1546/005/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.005" +name = "Trap" +reference = "https://attack.mitre.org/techniques/T1546/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index 21998af8115..9c0e12dd9e0 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,17 +91,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml index d649ef077c5..20256d83f57 100644 --- a/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml +++ b/rules/integrations/aws/collection_s3_unauthenticated_bucket_access_by_rare_source.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,42 +121,52 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1619" name = "Cloud Storage Object Discovery" reference = "https://attack.mitre.org/techniques/T1619/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml index 7bf37ce9e83..eacc8d821e7 100644 --- a/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml +++ b/rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/10" integration = ["aws"] maturity = "production" -updated_date = "2025/06/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,22 +95,39 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.session_context.session_issuer.arn"] diff --git a/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml b/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml index 39c54e4f149..57b2baeef95 100644 --- a/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml +++ b/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/20" integration = ["aws"] maturity = "production" -updated_date = "2025/11/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,17 +78,34 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index d134a095da1..41cee1240b0 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,19 +101,42 @@ framework = "MITRE ATT&CK" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml index 660e039719b..20d915624bf 100644 --- a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml +++ b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/11" integration = ["aws"] maturity = "production" -updated_date = "2025/11/07" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -130,22 +130,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.006" name = "Cloud Secrets Management Stores" reference = "https://attack.mitre.org/techniques/T1555/006/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.006" +name = "Databases" +reference = "https://attack.mitre.org/techniques/T1213/006/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.threshold] field = ["user.id"] value = 1 diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index 2fd99ea0bd8..d6fa16acad3 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/21" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,17 +132,21 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.threshold] field = ["cloud.account.id"] value = 10 diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index f762db3aa20..2dba17cdace 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,22 +82,26 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index b81501f12d9..dea0d7a8dbb 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,22 +83,26 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml b/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml index 67bc1c4472a..90f097c14e0 100644 --- a/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml +++ b/rules/integrations/aws/defense_evasion_ec2_serial_console_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,22 +116,31 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_rds_instance_restored.toml b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml index 5c526fa7a83..6d037474ff9 100644 --- a/rules/integrations/aws/defense_evasion_rds_instance_restored.toml +++ b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Austin Songer", "Elastic"] @@ -153,10 +153,12 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1578" name = "Modify Cloud Compute Infrastructure" reference = "https://attack.mitre.org/techniques/T1578/" + [[rule.threat.technique.subtechnique]] id = "T1578.002" name = "Create Cloud Instance" @@ -167,13 +169,28 @@ id = "T1578.004" name = "Revert Cloud Instance" reference = "https://attack.mitre.org/techniques/T1578/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" + +[[rule.threat.technique.subtechnique]] +id = "T1074.002" +name = "Remote Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/002/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index a3f2352b5a1..21de01a0535 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/27" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,6 +122,7 @@ event.dataset:aws.cloudtrail and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" @@ -131,30 +132,34 @@ reference = "https://attack.mitre.org/techniques/T1070/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + [[rule.threat.technique.subtechnique]] id = "T1562.008" name = "Disable or Modify Cloud Logs" reference = "https://attack.mitre.org/techniques/T1562/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml b/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml index d441f9f41fd..1d4e6533fa3 100644 --- a/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml +++ b/rules/integrations/aws/defense_evasion_sqs_purge_queue.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/08" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,22 +99,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.008" name = "Disable or Modify Cloud Logs" reference = "https://attack.mitre.org/techniques/T1562/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml b/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml index 78961ffa98f..5bb8dd40931 100644 --- a/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml +++ b/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -updated_date = "2025/07/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,31 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml b/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml index 197e4fc57fc..9f6d0e9c3f4 100644 --- a/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml +++ b/rules/integrations/aws/discovery_iam_principal_enumeration_via_update_assume_role_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,34 +115,44 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.003" +name = "Cloud Groups" +reference = "https://attack.mitre.org/techniques/T1069/003/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.004" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1087/004/" - - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.threshold] field = ["cloud.account.id", "user.name", "source.ip"] value = 25 diff --git a/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml b/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml index b9e3d273e21..e89c2921f67 100644 --- a/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml +++ b/rules/integrations/aws/discovery_multiple_discovery_api_calls_via_cli.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -210,17 +210,21 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1526" +name = "Cloud Service Discovery" +reference = "https://attack.mitre.org/techniques/T1526/" + [[rule.threat.technique]] id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.investigation_fields] field_names = [ "Esql.event_action_count_distinct", diff --git a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml index 20d53a4097c..57341cda8d3 100644 --- a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml +++ b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/24" integration = ["aws"] maturity = "production" -updated_date = "2025/08/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,10 +116,17 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.004" name = "Cloud Account" @@ -129,7 +136,6 @@ reference = "https://attack.mitre.org/techniques/T1087/004/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.arn"] diff --git a/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml b/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml index cf02dd8f7c0..f86a9fcfd70 100644 --- a/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml +++ b/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2024/08/26" maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -146,17 +146,21 @@ from logs-aws.cloudtrail-* METADATA _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1526" +name = "Cloud Service Discovery" +reference = "https://attack.mitre.org/techniques/T1526/" + [[rule.threat.technique]] id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.investigation_fields] field_names = [ "Esql.cloud_region_count_distinct", diff --git a/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml b/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml index 1998dca1376..1f86cdc6dea 100644 --- a/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml +++ b/rules/integrations/aws/discovery_ssm_inventory_reconnaissance.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/11" integration = ["aws"] maturity = "production" -updated_date = "2026/02/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,12 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique]] id = "T1538" name = "Cloud Service Dashboard" @@ -138,7 +144,6 @@ reference = "https://attack.mitre.org/techniques/T1580/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/execution_cloudshell_environment_created.toml b/rules/integrations/aws/execution_cloudshell_environment_created.toml index dd1be4d86ac..08abce57f78 100644 --- a/rules/integrations/aws/execution_cloudshell_environment_created.toml +++ b/rules/integrations/aws/execution_cloudshell_environment_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/12" integration = ["aws"] maturity = "production" -updated_date = "2026/03/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,22 +104,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.009" name = "Cloud API" reference = "https://attack.mitre.org/techniques/T1059/009/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml index f410c0aad7a..0be80713d88 100644 --- a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml +++ b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,17 +107,34 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml b/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml index 7164fa9a520..b95f19cbcdd 100644 --- a/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml +++ b/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/25" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,11 +101,16 @@ framework = "MITRE ATT&CK" id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" + +[[rule.threat.technique]] +id = "T1651" +name = "Cloud Administration Command" +reference = "https://attack.mitre.org/techniques/T1651/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml index d54fc7697a2..7ac4b8a88ba 100644 --- a/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml +++ b/rules/integrations/aws/exfiltration_dynamodb_scan_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/13" integration = ["aws"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,29 +82,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml b/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml index 5dd56b0f32d..9385daad252 100644 --- a/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml +++ b/rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/13" integration = ["aws"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,22 +73,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [[rule.threat.technique.subtechnique]] id = "T1567.002" name = "Exfiltration to Cloud Storage" reference = "https://attack.mitre.org/techniques/T1567/002/" - - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_ec2_export_task.toml b/rules/integrations/aws/exfiltration_ec2_export_task.toml index 0934b06a3a4..85ea184fcbd 100644 --- a/rules/integrations/aws/exfiltration_ec2_export_task.toml +++ b/rules/integrations/aws/exfiltration_ec2_export_task.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/23" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,18 +100,30 @@ event.dataset: "aws.cloudtrail" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1005" name = "Data from Local System" @@ -127,12 +139,10 @@ id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index a0aa65612d3..69392b27d9b 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -122,6 +122,7 @@ event.dataset: "aws.cloudtrail" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1020" name = "Automated Exfiltration" @@ -132,36 +133,49 @@ id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1040" name = "Network Sniffing" reference = "https://attack.mitre.org/techniques/T1040/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index a0ba6578562..3438596f833 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/06" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -151,28 +151,38 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique.subtechnique]] id = "T1213.006" name = "Databases" reference = "https://attack.mitre.org/techniques/T1213/006/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml index 999b1b4a28f..55d8c871c55 100644 --- a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml +++ b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -148,29 +148,42 @@ and not stringContains(aws.cloudtrail.request_parameters, aws.cloudtrail.recipie [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml b/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml index a29a22b0cbc..f37e1f2d02a 100644 --- a/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml +++ b/rules/integrations/aws/exfiltration_s3_bucket_replicated_to_external_account.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/12" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -148,17 +148,26 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml b/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml index e64e833936c..be5fa4a3535 100644 --- a/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml +++ b/rules/integrations/aws/exfiltration_s3_uncommon_client_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/09" integration = ["aws"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,22 +109,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [[rule.threat.technique.subtechnique]] id = "T1567.002" name = "Exfiltration to Cloud Storage" reference = "https://attack.mitre.org/techniques/T1567/002/" - - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml index 465364b2801..e0a94c08fa9 100644 --- a/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml +++ b/rules/integrations/aws/exfiltration_sns_rare_protocol_subscription_by_user.toml @@ -2,12 +2,12 @@ creation_date = "2024/11/01" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] description = """ -Identifies when a use subscribes to an SNS topic using a new protocol type (ie. email, http, lambda, etc.). SNS allows users to subscribe to recieve topic messages across a broad range of protocols like email, sms, lambda functions, http endpoints, and applications. Adversaries may subscribe to an SNS topic to collect sensitive information or exfiltrate data via an external email address, cross-account AWS service or other means. This rule identifies a new protocol subscription method for a particular user. +Identifies when a user subscribes to an SNS topic using a new protocol type (ie. email, http, lambda, etc.). SNS allows users to subscribe to recieve topic messages across a broad range of protocols like email, sms, lambda functions, http endpoints, and applications. Adversaries may subscribe to an SNS topic to collect sensitive information or exfiltrate data via an external email address, cross-account AWS service or other means. This rule identifies a new protocol subscription method for a particular user. """ false_positives = [ """ @@ -88,46 +88,65 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1496" name = "Resource Hijacking" reference = "https://attack.mitre.org/techniques/T1496/" + [[rule.threat.technique.subtechnique]] id = "T1496.004" name = "Cloud Service Hijacking" reference = "https://attack.mitre.org/techniques/T1496/004/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + +[[rule.threat.technique.subtechnique]] +id = "T1102.003" +name = "One-Way Communication" +reference = "https://attack.mitre.org/techniques/T1102/003/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index 4b6fbec2338..f432d063a59 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/17" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Austin Songer", "Elastic"] @@ -121,17 +121,34 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml index 013d9381c79..6ec5c340a09 100644 --- a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml +++ b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/01" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,18 +111,25 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1657" name = "Financial Theft" reference = "https://attack.mitre.org/techniques/T1657/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + [[rule.threat.technique]] id = "T1619" name = "Cloud Storage Object Discovery" @@ -132,20 +139,19 @@ reference = "https://attack.mitre.org/techniques/T1619/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - - [rule.threshold] field = ["tls.client.server_name", "source.address", "aws.cloudtrail.user_identity.type"] value = 1 diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index f19cadad27f..cbab012a4ea 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,34 +87,52 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1565" name = "Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/" + [[rule.threat.technique.subtechnique]] id = "T1565.001" name = "Stored Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/001/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index 1f6a8dd5d98..ed265299c71 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/18" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -151,34 +151,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index 6312cf48c76..4ee8165d8fe 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,34 +138,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 0aa53f8fd0e..0b73ed699c3 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,22 +125,39 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1565" name = "Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/" + [[rule.threat.technique.subtechnique]] id = "T1565.001" name = "Stored Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/001/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml b/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml index 1221591ba53..c6951c7a183 100644 --- a/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml +++ b/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/02" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,6 +116,7 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" @@ -126,12 +127,28 @@ id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index 2a685166ca7..b5533647e46 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -116,34 +116,52 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1531" name = "Account Access Removal" reference = "https://attack.mitre.org/techniques/T1531/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml index 245d0ffc077..84fdd4c093a 100644 --- a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml +++ b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/21" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Xavier Pich"] @@ -145,17 +145,21 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique.subtechnique]] +id = "T1485.001" +name = "Lifecycle-Triggered Deletion" +reference = "https://attack.mitre.org/techniques/T1485/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml index d12ddb1dc74..faa111891fb 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion_protection_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/28" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,17 +124,34 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_rds_snapshot_deleted.toml b/rules/integrations/aws/impact_rds_snapshot_deleted.toml index 7e6e4313c9b..ccee14c1e59 100644 --- a/rules/integrations/aws/impact_rds_snapshot_deleted.toml +++ b/rules/integrations/aws/impact_rds_snapshot_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -154,17 +154,21 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml index 36ccc844da3..5cb0621244b 100644 --- a/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml +++ b/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_keyword.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["aws"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -148,6 +148,7 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" @@ -156,10 +157,19 @@ reference = "https://attack.mitre.org/techniques/T1485/" [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" -reference = "https://attack.mitre.org/techniques/T1486/" +reference = "https://attack.mitre.org/techniques/T1486/" + +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml index 743ff129052..9a4bfdd2df7 100644 --- a/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml +++ b/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["aws"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,10 +122,22 @@ from logs-aws.cloudtrail* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1491" +name = "Defacement" +reference = "https://attack.mitre.org/techniques/T1491/" + +[[rule.threat.technique.subtechnique]] +id = "T1491.002" +name = "External Defacement" +reference = "https://attack.mitre.org/techniques/T1491/002/" + [[rule.threat.technique]] id = "T1565" name = "Data Manipulation" reference = "https://attack.mitre.org/techniques/T1565/" + [[rule.threat.technique.subtechnique]] id = "T1565.001" name = "Stored Data Manipulation" @@ -135,7 +147,6 @@ reference = "https://attack.mitre.org/techniques/T1565/001/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml b/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml index aacd3792c06..3553a07eb9e 100644 --- a/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml +++ b/rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/15" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,17 +105,34 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml index 18c4c507427..0fe9671e72d 100644 --- a/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml +++ b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" -updated_date = "2026/02/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -222,19 +222,36 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml b/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml index 93696cfc640..5b330a552b7 100644 --- a/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml +++ b/rules/integrations/aws/initial_access_kali_user_agent_detected_with_aws_cli.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/11" integration = ["aws"] maturity = "production" -updated_date = "2025/12/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,22 +110,39 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index 32b17765f99..f5071de40fb 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/02" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,14 +125,18 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml b/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml index 7a3ec1d8500..ca830abaef2 100644 --- a/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml +++ b/rules/integrations/aws/lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,36 +106,54 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.004" name = "SSH Authorized Keys" reference = "https://attack.mitre.org/techniques/T1098/004/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml b/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml index e8de6075067..6bb5af9fa5c 100644 --- a/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml +++ b/rules/integrations/aws/lateral_movement_ec2_instance_console_login.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,66 +125,113 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.007" name = "Cloud Services" reference = "https://attack.mitre.org/techniques/T1021/007/" - [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml b/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml index 2cb48308925..903ca5ff57d 100644 --- a/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml +++ b/rules/integrations/aws/lateral_movement_sns_topic_message_publish_by_rare_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["aws"] maturity = "production" -updated_date = "2025/09/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -140,46 +140,60 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1534" name = "Internal Spearphishing" reference = "https://attack.mitre.org/techniques/T1534/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1496" name = "Resource Hijacking" reference = "https://attack.mitre.org/techniques/T1496/" + [[rule.threat.technique.subtechnique]] id = "T1496.004" name = "Cloud Service Hijacking" reference = "https://attack.mitre.org/techniques/T1496/004/" - - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name", "aws.cloudtrail.resources.arn"] diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index 2634447e6ad..87d29e6c201 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -119,11 +119,24 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -134,3 +147,7 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index db71d8487f4..161aa44c399 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -117,11 +117,6 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -132,14 +127,14 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" @@ -150,9 +145,24 @@ id = "T1021.007" name = "Cloud Services" reference = "https://attack.mitre.org/techniques/T1021/007/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -161,13 +171,30 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml b/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml index c81083059cd..4012b663436 100644 --- a/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml +++ b/rules/integrations/aws/persistence_aws_attempt_to_register_virtual_mfa_device.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" -updated_date = "2026/02/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,32 +121,41 @@ iam where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index 37786c113df..a72f180dbaf 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,30 +99,41 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml index 3e29917bfd5..771fa38a30a 100644 --- a/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2025/09/04" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -141,6 +141,23 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index fd04f7d979e..a2105eaa9e0 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -117,25 +117,53 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml index dde1ff0a43d..16a775ca3a9 100644 --- a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml +++ b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "aws.cloudtrail.session_credential_from_console field introduced in AWS integration version 4.6.0" -updated_date = "2026/02/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,17 +135,34 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml index 829f6ade70b..6edad08e841 100644 --- a/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml +++ b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/02" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -143,24 +143,28 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/aws/persistence_iam_oidc_provider_created.toml b/rules/integrations/aws/persistence_iam_oidc_provider_created.toml index 16c89c35694..456d11f2abe 100644 --- a/rules/integrations/aws/persistence_iam_oidc_provider_created.toml +++ b/rules/integrations/aws/persistence_iam_oidc_provider_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,39 +120,57 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml index cc0704696b8..3c73289d534 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -137,22 +137,39 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml index 61a70e9d11f..b93e5e1776c 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,22 +129,26 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_iam_saml_provider_created.toml b/rules/integrations/aws/persistence_iam_saml_provider_created.toml index 4cf0be3208c..9116a811d46 100644 --- a/rules/integrations/aws/persistence_iam_saml_provider_created.toml +++ b/rules/integrations/aws/persistence_iam_saml_provider_created.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,39 +116,49 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml index 0e89738a87d..cc5eccd43a2 100644 --- a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml +++ b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,17 +113,34 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml b/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml index 941d53cbad3..cf7e2c1b306 100644 --- a/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml +++ b/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/27" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -136,28 +136,35 @@ info where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -165,7 +172,6 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_rds_instance_made_public.toml b/rules/integrations/aws/persistence_rds_instance_made_public.toml index cac81e06dff..9ce154caeaa 100644 --- a/rules/integrations/aws/persistence_rds_instance_made_public.toml +++ b/rules/integrations/aws/persistence_rds_instance_made_public.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/29" integration = ["aws"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -144,21 +144,27 @@ any where event.dataset == "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.009" name = "Conditional Access Policies" reference = "https://attack.mitre.org/techniques/T1556/009/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -166,7 +172,6 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index 7fefa1edaae..c54f9538c96 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/10" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -127,34 +127,47 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1584" name = "Compromise Infrastructure" reference = "https://attack.mitre.org/techniques/T1584/" + [[rule.threat.technique.subtechnique]] id = "T1584.001" name = "Domains" reference = "https://attack.mitre.org/techniques/T1584/001/" - - [rule.threat.tactic] id = "TA0042" name = "Resource Development" reference = "https://attack.mitre.org/tactics/TA0042/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index 6a09be1c590..83355ae7d6e 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/19" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Austin Songer", "Elastic"] @@ -125,34 +125,47 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1583" name = "Acquire Infrastructure" reference = "https://attack.mitre.org/techniques/T1583/" + [[rule.threat.technique.subtechnique]] id = "T1583.001" name = "Domains" reference = "https://attack.mitre.org/techniques/T1583/001/" - - [rule.threat.tactic] id = "TA0042" name = "Resource Development" reference = "https://attack.mitre.org/tactics/TA0042/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index fe48343e5ba..a03d91f91b8 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/05" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -111,6 +111,23 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["cloud.account.id", "user.name"] diff --git a/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml b/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml index 1ada122b033..8a4189fc1cd 100644 --- a/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml +++ b/rules/integrations/aws/persistence_sensitive_operations_via_cloudshell.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/10" integration = ["aws"] maturity = "production" -updated_date = "2026/02/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,39 +121,54 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.003" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1136/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml b/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml index fefefd67732..393e9186804 100644 --- a/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml +++ b/rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/25" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] @@ -106,49 +106,72 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [rule.new_terms] field = "new_terms_fields" value = ["user.id", "aws.cloudtrail.flattened.request_parameters.serialNumber"] diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml index 628f3841116..84d8b807eca 100644 --- a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2026/01/22" +updated_date = "2026/03/24" min_stack_comments = "New entity classification fields added: entity.target.id" min_stack_version = "9.2.0" @@ -100,22 +100,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.005" name = "Temporary Elevated Cloud Access" reference = "https://attack.mitre.org/techniques/T1548/005/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml b/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml index 4b9ab1316e7..924fb079451 100644 --- a/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml +++ b/rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml @@ -2,7 +2,7 @@ creation_date = "2021/09/22" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -125,22 +125,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml index bc91f308bb7..c8929a7f3ec 100644 --- a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml +++ b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2026/01/22" +updated_date = "2026/03/24" min_stack_comments = "New entity classification fields added: entity.target.id" min_stack_version = "9.2.0" @@ -97,22 +97,49 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml index c65c86306e6..213f759f65f 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2025/12/16" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -109,34 +109,39 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.005" +name = "Temporary Elevated Cloud Access" +reference = "https://attack.mitre.org/techniques/T1548/005/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml index 0abf5a097d8..43e24f0bc86 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/05" integration = ["aws"] maturity = "production" -updated_date = "2026/02/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,34 +95,62 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml b/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml index 49cbe18daaf..8a9c66dfc46 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/24" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -161,39 +161,67 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.005" name = "Temporary Elevated Cloud Access" reference = "https://attack.mitre.org/techniques/T1548/005/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml b/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml index 6e489d34aec..da6188b1d81 100644 --- a/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml +++ b/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/23" integration = ["aws"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,41 +134,62 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["aws.cloudtrail.user_identity.session_context.session_issuer.arn", "aws.cloudtrail.resources.arn"] diff --git a/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml b/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml index aa6c1fdbe9e..9fe428e0fc0 100644 --- a/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml +++ b/rules/integrations/azure/collection_entra_id_sharepoint_access_from_unusual_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["azure"] maturity = "production" -updated_date = "2026/02/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,17 +119,17 @@ event.dataset:azure.signinlogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique.subtechnique]] id = "T1213.002" name = "Sharepoint" reference = "https://attack.mitre.org/techniques/T1213/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" @@ -137,17 +137,44 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.app_id", "azure.signinlogs.properties.tenant_id"] diff --git a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml index 3f48cab4cf9..7ec1a3dc5ad 100644 --- a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml +++ b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/06" integration = ["azure"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,17 +101,39 @@ event.dataset:azure.graphactivitylogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" +[[rule.threat.technique.subtechnique]] +id = "T1114.002" +name = "Remote Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/002/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml b/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml index a94c27b574e..319b38ece98 100644 --- a/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml +++ b/rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/02" integration = ["azure"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,30 +110,41 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml b/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml index 563375a5e1b..feb44f03e01 100644 --- a/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml +++ b/rules/integrations/azure/credential_access_azure_service_principal_signin_then_arc_credential_listing.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,39 +100,44 @@ sequence with maxspan=30m [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.007" name = "Container API" reference = "https://attack.mitre.org/techniques/T1552/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml index b1e86ae2c14..2f571c6638a 100644 --- a/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml +++ b/rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/28" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,30 +135,59 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml index b1b7021a706..45e975c3b2b 100644 --- a/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml +++ b/rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/10" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -175,19 +175,31 @@ by Esql.time_window_date_trunc, azure.platformlogs.identity.claim.upn [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.006" name = "Cloud Secrets Management Stores" reference = "https://attack.mitre.org/techniques/T1555/006/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml index e23245673c1..c09f67d0a5a 100644 --- a/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_network_full_network_packet_capture_detected.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/12" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -83,14 +83,26 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1040" name = "Network Sniffing" reference = "https://attack.mitre.org/techniques/T1040/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 8a88cceeb2f..e87f967702a 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["azure"] maturity = "production" -updated_date = "2025/09/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,6 +73,7 @@ tags = [ "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "query" @@ -84,34 +85,36 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml index d9817465e01..a7edb7fe4fa 100644 --- a/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,3 +81,15 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index 5b308cfc613..42fb0d38b32 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,19 +80,31 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.008" name = "Disable or Modify Cloud Logs" reference = "https://attack.mitre.org/techniques/T1562/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 76a3d0239cb..2216b229f91 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -80,19 +80,23 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index 0acbfc2f754..80d0f3312ef 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,19 +81,23 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml index 5421c5675f8..6a7f6f9d035 100644 --- a/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_security_alert_suppression_rule_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/27" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -81,14 +81,18 @@ event.outcome: "success" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml index f39b0218f9a..ea718167fd4 100644 --- a/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml +++ b/rules/integrations/azure/discovery_storage_blob_container_access_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,16 +97,3 @@ reference = "https://attack.mitre.org/techniques/T1222/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1537" -name = "Transfer Data to Cloud Account" -reference = "https://attack.mitre.org/techniques/T1537/" - - -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/azure/execution_automation_runbook_created_or_modified.toml b/rules/integrations/azure/execution_automation_runbook_created_or_modified.toml index 2cddd4d8398..c70aad56309 100644 --- a/rules/integrations/azure/execution_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/execution_automation_runbook_created_or_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,6 +80,7 @@ event.dataset:azure.activitylogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" @@ -90,3 +91,15 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml b/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml index ca5229f3624..e24a3b4a3a3 100644 --- a/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml +++ b/rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/02" integration = ["azure"] maturity = "production" -updated_date = "2025/10/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,22 +95,34 @@ event.dataset: azure.platformlogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [[rule.threat.technique.subtechnique]] id = "T1567.002" name = "Exfiltration to Cloud Storage" reference = "https://attack.mitre.org/techniques/T1567/002/" - - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["azure.platformlogs.properties.accountName"] diff --git a/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml index 8388ea6ebe5..da3cbcf9a01 100644 --- a/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml +++ b/rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,6 +86,23 @@ id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" + +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["azure.activitylogs.identity.claims_initiated_by_user.name"] diff --git a/rules/integrations/azure/impact_resources_resource_group_deletion.toml b/rules/integrations/azure/impact_resources_resource_group_deletion.toml index a28f3b45431..50b60fce964 100644 --- a/rules/integrations/azure/impact_resources_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resources_resource_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,6 +80,21 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1529" +name = "System Shutdown/Reboot" +reference = "https://attack.mitre.org/techniques/T1529/" + +[[rule.threat.technique]] +id = "T1490" +name = "Inhibit System Recovery" +reference = "https://attack.mitre.org/techniques/T1490/" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" @@ -90,21 +105,3 @@ reference = "https://attack.mitre.org/techniques/T1485/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" -[[rule.threat.technique.subtechnique]] -id = "T1562.001" -name = "Disable or Modify Tools" -reference = "https://attack.mitre.org/techniques/T1562/001/" - - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml b/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml index e394d39c999..c2c69a968d2 100644 --- a/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml +++ b/rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,39 +89,57 @@ event.dataset: "azure.activitylogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.007" name = "Container API" reference = "https://attack.mitre.org/techniques/T1552/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_azure_service_principal_signin_multiple_countries.toml b/rules/integrations/azure/initial_access_azure_service_principal_signin_multiple_countries.toml index c844468a7a5..afd959b1ce0 100644 --- a/rules/integrations/azure/initial_access_azure_service_principal_signin_multiple_countries.toml +++ b/rules/integrations/azure/initial_access_azure_service_principal_signin_multiple_countries.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["azure"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,22 +125,39 @@ FROM logs-azure.signinlogs-* metadata _id, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.service_principal_id", diff --git a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml index 1ef19b65dbd..117f4401963 100644 --- a/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml +++ b/rules/integrations/azure/initial_access_entra_id_actor_token_user_impersonation_abuse.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,31 +106,49 @@ from logs-azure.auditlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml index 9ea2a42f57b..83c4a5b1447 100644 --- a/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_device_code_auth_with_broker_client.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,35 +83,50 @@ Entra ID Device Code Authentication allows users to authenticate devices using a [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" @@ -121,4 +136,3 @@ reference = "https://attack.mitre.org/techniques/T1550/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml index 09ce8630b50..4425f39fcce 100644 --- a/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_entra_id_external_guest_user_invite.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,26 +78,36 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[[rule.threat.technique.subtechnique]] +id = "T1136.003" +name = "Cloud Account" +reference = "https://attack.mitre.org/techniques/T1136/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml b/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml index 61dc6a1a52f..4ec0e262a58 100644 --- a/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml +++ b/rules/integrations/azure/initial_access_entra_id_federated_login_by_unusual_client.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/09" integration = ["azure"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,17 +108,17 @@ event.dataset: "azure.signinlogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -126,22 +126,39 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.service_principal_name", diff --git a/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml b/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml index 6ff9e5edd71..901507c48a5 100644 --- a/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_first_time_seen_device_code_auth.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["azure"] maturity = "production" -updated_date = "2026/02/26" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Matteo Potito Giorgio"] @@ -78,6 +78,7 @@ tags = [ "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "new_terms" @@ -107,30 +108,49 @@ event.dataset:(azure.activitylogs or azure.signinlogs) [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1566" -name = "Phishing" -reference = "https://attack.mitre.org/techniques/T1566/" -[[rule.threat.technique.subtechnique]] -id = "T1566.002" -name = "Spearphishing Link" -reference = "https://attack.mitre.org/techniques/T1566/002/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.user_principal_name"] diff --git a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml index 67c5edccbc2..cd73e02ab6e 100644 --- a/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml +++ b/rules/integrations/azure/initial_access_entra_id_graph_single_session_from_multiple_addresses.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/08" integration = ["azure"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -190,36 +190,41 @@ from logs-azure.signinlogs-*, logs-azure.graphactivitylogs-* metadata _id, _vers [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1550.004" +name = "Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1550/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml index fd3737f9131..d521704f143 100644 --- a/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,33 +91,26 @@ event.dataset: "azure.auditlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - +[[rule.threat.technique]] +id = "T1199" +name = "Trusted Relationship" +reference = "https://attack.mitre.org/techniques/T1199/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" [rule.investigation_fields] field_names = [ diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml b/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml index 84bf8f56d93..2c633fc8965 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/17" integration = ["azure"] maturity = "production" -updated_date = "2026/01/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,6 +75,7 @@ tags = [ "Tactic: Initial Access", "Tactic: Credential Access", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "new_terms" @@ -139,44 +140,67 @@ event.dataset: "azure.signinlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - +[[rule.threat.technique]] +id = "T1199" +name = "Trusted Relationship" +reference = "https://attack.mitre.org/techniques/T1199/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml index d8d3ad94d2c..e5ddf8e989b 100644 --- a/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml +++ b/rules/integrations/azure/initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2026/01/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,6 +74,7 @@ tags = [ "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access", + ] timestamp_override = "event.ingested" type = "query" @@ -139,41 +140,64 @@ event.outcome: "success" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - +[[rule.threat.technique]] +id = "T1199" +name = "Trusted Relationship" +reference = "https://attack.mitre.org/techniques/T1199/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml b/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml index c3b919b802c..6913e3e883a 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_alerts_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,19 +80,54 @@ sequence by azure.identityprotection.properties.user_principal_name with maxspan [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml b/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml index fdff812e200..2fd952ddac8 100644 --- a/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml +++ b/rules/integrations/azure/initial_access_entra_id_protection_confirmed_compromise.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" -updated_date = "2025/10/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,22 +107,57 @@ event.dataset: azure.identity_protection and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml index da8c29614c4..d0ac2d950ae 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_app_id_for_principal_auth.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/12/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,34 +123,52 @@ event.dataset: "azure.signinlogs" and event.category: "authentication" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "azure.signinlogs.properties.user_principal_name", diff --git a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml index 6ec4110788e..cb949f7b855 100644 --- a/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,17 +94,17 @@ event.dataset: "azure.signinlogs" and event.category: "authentication" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" @@ -112,34 +112,44 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml index a80ea2d7227..74b30ff9e01 100644 --- a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml +++ b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -193,10 +193,12 @@ from logs-azure.signinlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" @@ -206,27 +208,44 @@ reference = "https://attack.mitre.org/techniques/T1078/004/" id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml b/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml index 99d562c6880..c44ae464c92 100644 --- a/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml +++ b/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/02" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,22 +80,39 @@ event.dataset: "azure.signinlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.user_principal_name"] diff --git a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml index 4af77d21fd9..ffd21e01236 100644 --- a/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml +++ b/rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/21" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Willem D'Haese"] @@ -80,18 +80,31 @@ event.dataset: "azure.auditlogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1621" +name = "Multi-Factor Authentication Request Generation" +reference = "https://attack.mitre.org/techniques/T1621/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml index 53b7a160471..030a4b2202d 100644 --- a/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml +++ b/rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["azure"] maturity = "production" -updated_date = "2026/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,34 +114,52 @@ event.dataset: "azure.graphactivitylogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/ml_azure_rare_method_by_city.toml b/rules/integrations/azure/ml_azure_rare_method_by_city.toml index 84f94ffc52b..cba37cb9c9f 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_city.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_city.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/12/08" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -93,11 +93,42 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -107,3 +138,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/azure/ml_azure_rare_method_by_country.toml b/rules/integrations/azure/ml_azure_rare_method_by_country.toml index bbaf6442692..8ab7ffc6687 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_country.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_country.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/12/08" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -92,11 +92,24 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -106,3 +119,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/ml_azure_rare_method_by_user.toml b/rules/integrations/azure/ml_azure_rare_method_by_user.toml index 2dd9dacbf77..71251715303 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_user.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_user.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/12/08" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -91,11 +91,6 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -106,14 +101,14 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" @@ -124,9 +119,24 @@ id = "T1021.007" name = "Cloud Services" reference = "https://attack.mitre.org/techniques/T1021/007/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -135,13 +145,30 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_entra_id_application_credential_modification.toml b/rules/integrations/azure/persistence_entra_id_application_credential_modification.toml index 4d0f2369673..f52e088dc52 100644 --- a/rules/integrations/azure/persistence_entra_id_application_credential_modification.toml +++ b/rules/integrations/azure/persistence_entra_id_application_credential_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,18 +87,36 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml index a89c1fcdf5d..c4d989ec39c 100644 --- a/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_conditional_access_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,6 +92,7 @@ event.dataset: "azure.auditlogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" @@ -102,12 +103,28 @@ id = "T1556.009" name = "Conditional Access Policies" reference = "https://attack.mitre.org/techniques/T1556/009/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"] diff --git a/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml index 94d21dfa04f..29ec1157ee0 100644 --- a/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/06" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,19 +83,36 @@ event.dataset:azure.auditlogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml index 5729fb8abc7..399321fc3c5 100644 --- a/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml +++ b/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,19 +86,54 @@ event.dataset: "azure.auditlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml index 67622baed76..ac59e69abe3 100644 --- a/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_entra_id_pim_user_added_global_admin.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,18 +84,36 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml index 421b38cec2b..58d2f4e9d7c 100644 --- a/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_privileged_identity_management_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,30 +85,49 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml index b1eac4dbf32..ec43155f239 100644 --- a/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml +++ b/rules/integrations/azure/persistence_entra_id_rt_to_prt_transition_from_user_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/24" integration = ["azure"] maturity = "production" -updated_date = "2025/12/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,43 +110,45 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -155,3 +157,20 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml index 39ea903de00..d294fd52148 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_credentials_added.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -81,6 +81,7 @@ event.dataset: "azure.auditlogs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" @@ -91,13 +92,28 @@ id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = [ diff --git a/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml b/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml index fd409ec66bb..01c3be3815b 100644 --- a/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml +++ b/rules/integrations/azure/persistence_entra_id_service_principal_federated_issuer_modified.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_version = "9.2.0" min_stack_comments = "Changes in ECS added cloud.* fields which are not available prior to ^9.2.0" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,36 +91,54 @@ from logs-azure.auditlogs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml b/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml index b1f8591e4cc..b61fccee5f3 100644 --- a/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml +++ b/rules/integrations/azure/persistence_entra_id_suspicious_adrs_token_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/13" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,19 +81,31 @@ event.dataset: "azure.signinlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml b/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml index e292a7a70db..d3b95428b80 100644 --- a/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml +++ b/rules/integrations/azure/persistence_entra_id_suspicious_cloud_device_registration.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/13" integration = ["azure"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,19 +106,36 @@ sequence by azure.correlation_id with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.005" +name = "Device Registration" +reference = "https://attack.mitre.org/techniques/T1098/005/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml b/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml index 2ca71e31d2f..94600da21cf 100644 --- a/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml +++ b/rules/integrations/azure/persistence_entra_id_tenant_domain_federation_via_audit_logs.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/03" integration = ["azure"] maturity = "development" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,35 +95,64 @@ event.dataset: azure.auditlogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.007" +name = "Hybrid Identity" +reference = "https://attack.mitre.org/techniques/T1556/007/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.007" +name = "Hybrid Identity" +reference = "https://attack.mitre.org/techniques/T1556/007/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml index 0491e8e6a55..dcc9cdf623e 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -68,26 +68,39 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml index 0d51d53cae8..fd050eb7fb6 100644 --- a/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,23 +73,36 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to s [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml index ab26fc86d1c..f26e6c6a39d 100644 --- a/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml +++ b/rules/integrations/azure/persistence_entra_id_user_signed_in_from_unusual_device.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/16" integration = ["azure"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -67,6 +67,7 @@ tags = [ "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Sign-in Logs", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "new_terms" @@ -84,34 +85,35 @@ event.dataset: "azure.signinlogs" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/integrations/azure/persistence_event_hub_created_or_updated.toml b/rules/integrations/azure/persistence_event_hub_created_or_updated.toml index 6cf84594742..fc8d63fc48a 100644 --- a/rules/integrations/azure/persistence_event_hub_created_or_updated.toml +++ b/rules/integrations/azure/persistence_event_hub_created_or_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,30 +78,36 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml index fa59f5be650..b0db0824583 100644 --- a/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml +++ b/rules/integrations/azure/persistence_graph_eam_addition_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/14" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,22 +75,39 @@ event.dataset: azure.graphactivitylogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.009" name = "Conditional Access Policies" reference = "https://attack.mitre.org/techniques/T1556/009/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["azure.graphactivitylogs.properties.user_principal_object_id"] diff --git a/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml b/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml index af9bc41d8c9..757b281be62 100644 --- a/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml +++ b/rules/integrations/azure/persistence_identity_protect_alert_followed_by_device_reg.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,25 +81,26 @@ sequence with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - -[[rule.threat.technique.subtechnique]] -id = "T1098.005" -name = "Device Registration" -reference = "https://attack.mitre.org/techniques/T1098/005/" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.005" +name = "Device Registration" +reference = "https://attack.mitre.org/techniques/T1098/005/" [rule.threat.tactic] id = "TA0003" diff --git a/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml b/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml index de9b0f23509..658060292b8 100644 --- a/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml +++ b/rules/integrations/azure/privilege_escalation_azure_rbac_administrator_roles_assigned.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/15" integration = ["azure"] maturity = "production" -updated_date = "2025/09/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,18 +93,36 @@ event.dataset: azure.activitylogs and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml index 0f07d5c9080..fa9e622f40b 100644 --- a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml +++ b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/22" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -90,22 +90,39 @@ event.dataset: azure.auditlogs [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"] diff --git a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml index eae2f416a42..b400b2509d4 100644 --- a/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_kubernetes_aks_rolebinding_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["azure"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -82,30 +82,46 @@ event.outcome:(Success or success) [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.006" +name = "Additional Container Cluster Roles" +reference = "https://attack.mitre.org/techniques/T1098/006/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/beaconing/command_and_control_beaconing.toml b/rules/integrations/beaconing/command_and_control_beaconing.toml index f89fe47c8c3..5b75f76288e 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,19 +95,23 @@ Statistical models analyze network traffic patterns to identify anomalies indica [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" + [[rule.threat.technique.subtechnique]] id = "T1102.002" name = "Bidirectional Communication" reference = "https://attack.mitre.org/techniques/T1102/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml index 0fe0d4d7320..26026a63b9d 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,19 +90,23 @@ Statistical models analyze network traffic patterns to identify anomalies indica [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" + [[rule.threat.technique.subtechnique]] id = "T1102.002" name = "Bidirectional Communication" reference = "https://attack.mitre.org/techniques/T1102/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml b/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml index 98c2b0a4e53..a49b73ed4f7 100644 --- a/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml +++ b/rules/integrations/cloud_defend/command_and_control_curl_socks_proxy_detected_inside_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -71,6 +71,11 @@ process.interactive == true and container.id like "?*" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml b/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml index 5d448150ea9..eb6374efd8e 100644 --- a/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml +++ b/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,35 +95,40 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml b/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml index 0e1b024eb19..5a9bac0b72e 100644 --- a/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml +++ b/rules/integrations/cloud_defend/command_and_control_tunneling_and_port_forwarding.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,6 +96,11 @@ process where event.type == "start" and event.action == "exec" and ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/integrations/cloud_defend/credential_access_cloud_creds_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_cloud_creds_search_inside_a_container.toml index 66fa6456e01..aeef03f2cd3 100644 --- a/rules/integrations/cloud_defend/credential_access_cloud_creds_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_cloud_creds_search_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,3 +94,16 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml index 67fbebdda38..6bb349847f8 100644 --- a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,6 +125,11 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml index 6466f00e4a8..e7d2d276fcd 100644 --- a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,7 +115,38 @@ id = "T1552.001" name = "Credentials In Files" reference = "https://attack.mitre.org/techniques/T1552/001/" +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml b/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml index 1dc98471512..52c57446c7d 100644 --- a/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml +++ b/rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,3 +115,16 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml b/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml index a3e3f977696..e44e8569760 100644 --- a/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml +++ b/rules/integrations/cloud_defend/defense_evasion_decoded_payload_piped_to_interpreter.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -130,45 +130,60 @@ sequence by process.parent.entity_id, container.id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique]] - name = "Obfuscated Files or Information" - id = "T1027" - reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" - [[rule.threat.technique]] - name = "Deobfuscate/Decode Files or Information" - id = "T1140" - reference = "https://attack.mitre.org/techniques/T1140/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" - - [[rule.threat.technique.subtechnique]] - name = "Malicious File" - id = "T1204.002" - reference = "https://attack.mitre.org/techniques/T1204/002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml b/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml index 5da9a158df8..fec72adfd73 100644 --- a/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml +++ b/rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -150,3 +150,16 @@ reference = "https://attack.mitre.org/techniques/T1204/002/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml b/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml index 0538c4cd9c4..e03bdc70ab2 100644 --- a/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml +++ b/rules/integrations/cloud_defend/defense_evasion_interactive_process_execution_from_suspicious_directory.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,24 +75,29 @@ process where event.type == "start" and event.action == "exec" and process.inter [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" [[rule.threat.technique]] -name = "Reflective Code Loading" id = "T1620" +name = "Reflective Code Loading" reference = "https://attack.mitre.org/techniques/T1620/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -103,15 +108,20 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] -name = "Application Layer Protocol" id = "T1071" +name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml index f84f1a58ad4..ad67670330b 100644 --- a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml +++ b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,3 +99,39 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml b/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml index 4168f4a7137..d739ee6e277 100644 --- a/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml +++ b/rules/integrations/cloud_defend/defense_evasion_potential_evasion_via_encoded_payload.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" diff --git a/rules/integrations/cloud_defend/discovery_dns_enumeration.toml b/rules/integrations/cloud_defend/discovery_dns_enumeration.toml index f09bad36a77..a240e78a308 100644 --- a/rules/integrations/cloud_defend/discovery_dns_enumeration.toml +++ b/rules/integrations/cloud_defend/discovery_dns_enumeration.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,26 +109,31 @@ process.interactive == true and container.id like "*" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" [[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" reference = "https://attack.mitre.org/techniques/T1049/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/discovery_environment_enumeration.toml b/rules/integrations/cloud_defend/discovery_environment_enumeration.toml index f5cef44a7f2..05fdcbcc1be 100644 --- a/rules/integrations/cloud_defend/discovery_environment_enumeration.toml +++ b/rules/integrations/cloud_defend/discovery_environment_enumeration.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,16 +96,16 @@ process.interactive == true and container.id like "*" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml b/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml index 9a67f6171d9..91e58c85891 100644 --- a/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml +++ b/rules/integrations/cloud_defend/discovery_kubelet_certificate_file_access.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,3 +101,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/cloud_defend/discovery_kubelet_pod_discovery_via_builtin_utilities.toml b/rules/integrations/cloud_defend/discovery_kubelet_pod_discovery_via_builtin_utilities.toml index 9e8e35195e7..fc8c6d397c8 100644 --- a/rules/integrations/cloud_defend/discovery_kubelet_pod_discovery_via_builtin_utilities.toml +++ b/rules/integrations/cloud_defend/discovery_kubelet_pod_discovery_via_builtin_utilities.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,6 +86,11 @@ sequence by container.id, user.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" diff --git a/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml b/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml index 81381ad389b..ef16f2f9eb6 100644 --- a/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml +++ b/rules/integrations/cloud_defend/discovery_privilege_boundary_enumeration_from_interactive_process.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,15 +94,20 @@ process where host.os.type == "linux" and event.type == "start" and event.action framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml b/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml index 5e447e2221b..10cc0ef66c4 100644 --- a/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml +++ b/rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,17 +96,30 @@ any where host.os.type == "linux" and process.interactive == true and container. [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml index 6b685a4acac..55c1dcb3970 100644 --- a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -156,3 +156,16 @@ reference = "https://attack.mitre.org/techniques/T1595/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml index 6a1717f97e5..3ad1999ecd1 100644 --- a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,16 @@ reference = "https://attack.mitre.org/techniques/T1609/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml b/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml index eca6ed47139..2878c5eeeac 100644 --- a/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml +++ b/rules/integrations/cloud_defend/execution_direct_interactive_kubernetes_api_request.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,6 +132,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -149,3 +154,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml b/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml index aa6c4f5a487..545c68ed42e 100644 --- a/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml +++ b/rules/integrations/cloud_defend/execution_interactive_file_creation_in_system_binary_locations.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,11 +78,6 @@ file.path like ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -93,23 +88,43 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] -name = "Application Layer Protocol" id = "T1071" +name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml b/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml index 4d369ab6944..1b2800b05ca 100644 --- a/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml +++ b/rules/integrations/cloud_defend/execution_kubeletctl_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,6 +97,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml index 8c8ff36688b..28586e1bcca 100644 --- a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,3 +125,34 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[[rule.threat.technique.subtechnique]] +id = "T1048.003" +name = "Exfiltration Over Unencrypted Non-C2 Protocol" +reference = "https://attack.mitre.org/techniques/T1048/003/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml b/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml index 929a3fbb945..de03d834e18 100644 --- a/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml +++ b/rules/integrations/cloud_defend/execution_payload_downloaded_and_piped_to_shell.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,11 +99,6 @@ sequence by process.parent.entity_id, container.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -114,23 +109,38 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" [rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] -name = "Application Layer Protocol" id = "T1071" +name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] -name = "Defense Evasion" id = "TA0005" +name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml b/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml index 1e80e6c6c4e..579b60c02b9 100644 --- a/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml +++ b/rules/integrations/cloud_defend/execution_potential_direct_kubelet_access_via_process_args.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,3 +105,16 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml index 37ebcaa3c19..4b08510e3c8 100644 --- a/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_suspicious_file_made_executable_via_chmod_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1222/002/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml b/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml index 674f355202d..d677ad19712 100644 --- a/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml +++ b/rules/integrations/cloud_defend/execution_suspicious_interactive_interpreter_command_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,45 +117,63 @@ process.parent.executable != null and ( [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" - [[rule.threat.technique.subtechnique]] - name = "Lua" - id = "T1059.011" - reference = "https://attack.mitre.org/techniques/T1059/011/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/execution_tool_installation.toml b/rules/integrations/cloud_defend/execution_tool_installation.toml index ad87e634195..a5a4dec9515 100644 --- a/rules/integrations/cloud_defend/execution_tool_installation.toml +++ b/rules/integrations/cloud_defend/execution_tool_installation.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,3 +98,16 @@ reference = "https://attack.mitre.org/techniques/T1072/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml b/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml index f2710c97edc..7bbd64a8f65 100644 --- a/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml +++ b/rules/integrations/cloud_defend/persistence_modification_of_persistence_relevant_files.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,24 +116,39 @@ not process.name in ("apt", "apt-get", "dnf", "microdnf", "yum", "zypper", "tdnf framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique.subtechnique]] +id = "T1053.006" +name = "Systemd Timers" +reference = "https://attack.mitre.org/techniques/T1053/006/" + [[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" [[rule.threat.technique]] id = "T1546" @@ -153,21 +168,36 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique.subtechnique]] +id = "T1053.006" +name = "Systemd Timers" +reference = "https://attack.mitre.org/techniques/T1053/006/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" @@ -191,11 +221,21 @@ id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique.subtechnique]] +id = "T1053.006" +name = "Systemd Timers" +reference = "https://attack.mitre.org/techniques/T1053/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml index a177a35115c..3da9b6ce39b 100644 --- a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml +++ b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1563/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml b/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml index 4e79c7957c8..92639f5d1fc 100644 --- a/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml +++ b/rules/integrations/cloud_defend/persistence_suspicious_echo_or_printf_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,9 +86,9 @@ process.args like ( framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" [[rule.threat.technique]] id = "T1053" @@ -101,9 +101,24 @@ name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" [[rule.threat.technique]] -id = "T1037" -name = "Boot or Logon Initialization Scripts" -reference = "https://attack.mitre.org/techniques/T1037/" +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" [[rule.threat.technique]] id = "T1546" @@ -115,6 +130,16 @@ id = "T1546.004" name = "Unix Shell Configuration Modification" reference = "https://attack.mitre.org/techniques/T1546/004/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -123,11 +148,6 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" @@ -138,6 +158,46 @@ id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -156,7 +216,30 @@ id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml b/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml index eb31c917b85..66be4c56c57 100644 --- a/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml +++ b/rules/integrations/cloud_defend/persistence_suspicious_webserver_child_process_execution.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -237,11 +237,6 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Persistence" -id = "TA0003" -reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" @@ -252,14 +247,14 @@ id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -270,15 +265,61 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml index de958bb3bd4..8bc0dec0005 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,3 +108,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml index 1542c1df465..4b4422d6871 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,3 +91,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index ae927878370..5b7dd0fa5c3 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/23" integration = ["cyberarkpas"] maturity = "production" promotion = true -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -53,16 +53,17 @@ event.dataset:cyberarkpas.audit and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -71,3 +72,28 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1555" +name = "Credentials from Password Stores" +reference = "https://attack.mitre.org/techniques/T1555/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml index cd93d27121e..78a1259f568 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_destination_port.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,26 @@ Machine learning models analyze network traffic to identify anomalies, such as d - Implement enhanced monitoring on the affected system and network segment to detect any further suspicious activity.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml index 8e885a4b26b..8b7205dff6a 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,18 @@ The detection rule leverages machine learning to identify anomalies in data tran - Consider deploying endpoint detection and response (EDR) solutions to enhance visibility and control over data movements to external devices.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" +[[rule.threat.technique.subtechnique]] +id = "T1052.001" +name = "Exfiltration over USB" +reference = "https://attack.mitre.org/techniques/T1052/001/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml index a69cb0486c3..efabd632315 100644 --- a/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml +++ b/rules/integrations/ded/exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -90,14 +90,18 @@ Airdrop facilitates seamless file sharing between Apple devices, leveraging Blue - Update security policies and controls to restrict Airdrop usage to only trusted devices and networks, reducing the risk of future unauthorized data transfers.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1011" name = "Exfiltration Over Other Network Medium" reference = "https://attack.mitre.org/techniques/T1011/" +[[rule.threat.technique.subtechnique]] +id = "T1011.001" +name = "Exfiltration Over Bluetooth" +reference = "https://attack.mitre.org/techniques/T1011/001/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml index d0c800d51aa..f4de893c2c1 100644 --- a/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml +++ b/rules/integrations/ded/exfiltration_ml_rare_process_writing_to_external_device.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["ded", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,18 @@ In modern environments, processes may write data to external devices for legitim - Update security policies and controls to prevent similar exfiltration attempts, such as restricting process permissions to write to external devices and enhancing endpoint protection measures.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1052" name = "Exfiltration Over Physical Medium" reference = "https://attack.mitre.org/techniques/T1052/" +[[rule.threat.technique.subtechnique]] +id = "T1052.001" +name = "Exfiltration over USB" +reference = "https://attack.mitre.org/techniques/T1052/001/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml index 4754264f30d..c73adc011f1 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/04/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,28 @@ Domain Generation Algorithms (DGAs) are used by adversaries to dynamically gener [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml index afcf159faef..e02a63c654f 100644 --- a/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dga_high_sum_probability.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,28 @@ Domain Generation Algorithms (DGAs) are used by malware to dynamically generate - Escalate to incident response team: If the threat is confirmed and widespread, escalate the incident to the organization's incident response team for further investigation and coordinated response efforts.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" +[[rule.threat.technique.subtechnique]] +id = "T1568.002" +name = "Domain Generation Algorithms" +reference = "https://attack.mitre.org/techniques/T1568/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml index 1e9fe0424c3..1779d62bc79 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_high_dga_probability.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,19 +98,28 @@ Machine learning models analyze DNS requests to identify patterns indicative of [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml index 4f2e1f35a0a..8db1349b652 100644 --- a/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml +++ b/rules/integrations/dga/command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/14" integration = ["dga", "endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,28 @@ Machine learning models can identify patterns in DNS requests that suggest the u [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/integrations/fim/persistence_suspicious_file_modifications.toml b/rules/integrations/fim/persistence_suspicious_file_modifications.toml index 4ef9a45946f..c1132aad536 100644 --- a/rules/integrations/fim/persistence_suspicious_file_modifications.toml +++ b/rules/integrations/fim/persistence_suspicious_file_modifications.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["fim"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -220,14 +220,24 @@ name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" [[rule.threat.technique]] -id = "T1547" -name = "Boot or Logon Autostart Execution" -reference = "https://attack.mitre.org/techniques/T1547/" +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" [[rule.threat.technique.subtechnique]] -id = "T1547.006" -name = "Kernel Modules and Extensions" -reference = "https://attack.mitre.org/techniques/T1547/006/" +id = "T1053.002" +name = "At" +reference = "https://attack.mitre.org/techniques/T1053/002/" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" [[rule.threat.technique]] id = "T1136" @@ -249,6 +259,36 @@ id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.017" +name = "Udev Rules" +reference = "https://attack.mitre.org/techniques/T1546/017/" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.013" +name = "XDG Autostart Entries" +reference = "https://attack.mitre.org/techniques/T1547/013/" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index 2ade101b010..33faa556722 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,14 +81,18 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1119" +name = "Automated Collection" +reference = "https://attack.mitre.org/techniques/T1119/" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index 2f2e473a30c..0473d5f4fa8 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,26 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1651" +name = "Cloud Administration Command" +reference = "https://attack.mitre.org/techniques/T1651/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index 6999cef9783..9d21843dd4f 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,14 +87,18 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index 6ac6b9d0085..d6c9d4f6b8f 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,18 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index 3afdc0d904e..3e4fed7407c 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,14 +87,18 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.007" +name = "Disable or Modify Cloud Firewall" +reference = "https://attack.mitre.org/techniques/T1562/007/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index 0959ed9e33e..8f5b62bc283 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,18 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index 36bd43f1c07..e31c93cdc88 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,14 +81,18 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index b232902cc6d..e3ee14773ab 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,14 +82,26 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index 01e2afac043..3a37cf5ddb8 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/18" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,26 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index d518d9a46db..57cc51606af 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,14 +82,18 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1578" name = "Modify Cloud Compute Infrastructure" reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 66e67424205..b73908983d6 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,14 +82,49 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml index 49efa174d6f..53b59b684e5 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,19 +82,31 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml index 8ae59e5172f..2c3215cd61f 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,19 +83,28 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml index 2dbfe20dffd..535b01be892 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,19 +83,28 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.005" +name = "Modify Cloud Compute Configurations" +reference = "https://attack.mitre.org/techniques/T1578/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index cff4a666a38..54b9bf8b324 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,31 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.008" +name = "Disable or Modify Cloud Logs" +reference = "https://attack.mitre.org/techniques/T1562/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index d26fdfad9fe..062541f2343 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,26 +82,54 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml index 6ba99513f42..5b663d18ff7 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/11/21" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -63,11 +63,24 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -77,3 +90,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml index c151731755a..406d9c424c4 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/11/21" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -63,11 +63,42 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -77,3 +108,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml index 0474776c35d..871858777f2 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New job added" min_stack_version = "9.3.0" -updated_date = "2025/11/21" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -62,11 +62,6 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -77,14 +72,14 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - [[rule.threat.technique]] id = "T1021" name = "Remote Services" @@ -95,9 +90,24 @@ id = "T1021.007" name = "Cloud Services" reference = "https://attack.mitre.org/techniques/T1021/007/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -106,12 +116,30 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1041" -name = "Exfiltration Over C2 Channel" -reference = "https://attack.mitre.org/techniques/T1041/" +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 6060132006a..6d3e2886d52 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,14 +86,26 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index 84d9cc8278b..c4c1bd5488b 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,14 +87,18 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index 64c798841be..176344f20a5 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["gcp"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,18 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.003" +name = "Cloud Account" +reference = "https://attack.mitre.org/techniques/T1136/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml index 5bf9ba190ef..f480ad701fe 100644 --- a/rules/integrations/github/execution_github_app_deleted.toml +++ b/rules/integrations/github/execution_github_app_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -67,14 +67,31 @@ configuration where event.dataset == "github.audit" and github.category == "inte [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml index 723fabe54ae..09f3929e3ab 100644 --- a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml +++ b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,17 +72,34 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.threshold] field = ["github.hashed_token"] value = 1 diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml index d7a9a7fb68d..d7660e1b6ad 100644 --- a/rules/integrations/github/execution_new_github_app_installed.toml +++ b/rules/integrations/github/execution_new_github_app_installed.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,14 +72,39 @@ configuration where event.dataset == "github.audit" and event.action == "integra [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1072" name = "Software Deployment Tools" reference = "https://attack.mitre.org/techniques/T1072/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1199" +name = "Trusted Relationship" +reference = "https://attack.mitre.org/techniques/T1199/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml b/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml index b0f024d3a6b..3832a15240f 100644 --- a/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml +++ b/rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,3 +109,21 @@ reference = "https://attack.mitre.org/techniques/T1567/001/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml b/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml index 46b687e9fdb..f93858e672e 100644 --- a/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml +++ b/rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2025/12/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -50,6 +50,16 @@ reference = "https://attack.mitre.org/tactics/TA0040/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" @@ -78,6 +88,23 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["source.ip", "github.repo"] diff --git a/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml b/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml index 56e1f025d29..ce69ec2c81b 100644 --- a/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,6 +98,16 @@ id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml b/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml index 3273c4e208e..f7975e32147 100644 --- a/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,6 +99,16 @@ id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml b/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml index 46a8c27fb5d..db556bfbf9b 100644 --- a/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml +++ b/rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml @@ -4,7 +4,7 @@ integration = ["github"] maturity = "production" min_stack_comments = "mv_contains ES|QL function only available post 9.2 in tech preview" min_stack_version = "9.2.0" -updated_date = "2026/01/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,6 +103,16 @@ id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml b/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml index 59d99cbea86..dd4d72e5c96 100644 --- a/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml +++ b/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/09" integration = ["github"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,10 +84,12 @@ event.dataset: "github.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" @@ -100,6 +102,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -110,6 +113,23 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.new_terms] field = "new_terms_fields" value = ["github.org_id", "github.repo"] diff --git a/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml b/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml index 15f2ba57bd8..80af6816d13 100644 --- a/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml +++ b/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/05" integration = ["github"] maturity = "production" -updated_date = "2025/12/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,23 +84,30 @@ from logs-github.audit-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -113,12 +120,12 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml index 5b6539b9114..6cb779a03d6 100644 --- a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml +++ b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/28" integration = ["github"] maturity = "production" -updated_date = "2025/12/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,23 +73,26 @@ event.dataset:"github.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.actor_ip"] diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml index 6ebccba2979..ab17df05ed0 100644 --- a/rules/integrations/github/persistence_github_org_owner_added.toml +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,19 +72,46 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.003" name = "Cloud Account" reference = "https://attack.mitre.org/techniques/T1136/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/github/persistence_new_pat_created.toml b/rules/integrations/github/persistence_new_pat_created.toml index ff972644a35..ca627a7c411 100644 --- a/rules/integrations/github/persistence_new_pat_created.toml +++ b/rules/integrations/github/persistence_new_pat_created.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/16" integration = ["github"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,6 +72,16 @@ github.category == "personal_access_token" and event.action == "personal_access_ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml index c8b2b1f0fc5..b4352967199 100644 --- a/rules/integrations/github/persistence_organization_owner_role_granted.toml +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -70,19 +70,36 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml index 8b50df9d34a..7cab15de693 100644 --- a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml +++ b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/24" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,19 +101,31 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" + [[rule.threat.technique.subtechnique]] id = "T1074.002" name = "Remote Data Staging" reference = "https://attack.mitre.org/techniques/T1074/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1537" +name = "Transfer Data to Cloud Account" +reference = "https://attack.mitre.org/techniques/T1537/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml index 36138972133..464366aa8c5 100644 --- a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml +++ b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["google_workspace"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,19 +102,31 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml index ba8f4a4f7f8..6306e9be4c1 100644 --- a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml +++ b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,19 +107,23 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index 50b9fd776ed..987573a3585 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,28 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml index 3da71e49a09..c6a45f868a9 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,23 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml index dbe8480ee6b..625a14b96ce 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/30" integration = ["google_workspace"] maturity = "production" -updated_date = "2025/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,39 +90,57 @@ google_workspace.token.scope.data: *Login and google_workspace.token.client.id: [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["google_workspace.token.client.id"] diff --git a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml index 09ecde61c16..2b52d566d85 100644 --- a/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml +++ b/rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/25" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,19 +108,23 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml index b55c2591321..6ca7e8646d2 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,14 +99,26 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1531" name = "Account Access Removal" reference = "https://attack.mitre.org/techniques/T1531/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index 5c62a0f8be1..25db102037c 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,14 +103,49 @@ event.dataset:google_workspace.admin and event.provider:admin [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1531" name = "Account Access Removal" reference = "https://attack.mitre.org/techniques/T1531/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml index 9da5f09028e..9ae1d29e3c6 100644 --- a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml +++ b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/16" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,19 +104,31 @@ iam where event.dataset == "google_workspace.admin" and event.action == "ADD_GRO [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml index e3a60da3cd3..1b4990aa49c 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,19 +94,41 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml index 46a1d328e83..afa271c9bad 100644 --- a/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml +++ b/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["google_workspace"] maturity = "production" -updated_date = "2025/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,19 +116,54 @@ sequence by source.user.email with maxspan=3m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.001" +name = "Malicious Link" +reference = "https://attack.mitre.org/techniques/T1204/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index 90cf5ef9b6e..88bf490d5ac 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,8 +104,17 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml index 4647fb4aed4..5e354b05b51 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/26" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,14 +103,39 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index a23661911b2..6d63f4458ff 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,19 +107,36 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml index 2a59b14eadc..0783b41bddd 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/12" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,14 +104,26 @@ event.dataset:google_workspace.admin [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index 643c9d27e06..6ccf74de94f 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,14 +104,36 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml index 986aac4bd3d..479e37fcf31 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,14 +111,26 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index 040e19fdd98..57d821e3325 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,14 +106,26 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml index cb0bc8fec70..5d52d7026ce 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/06" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,19 +106,36 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index 8bc3d051239..b86f191f01d 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["google_workspace"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,14 +100,26 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml b/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml index 0a6f1a1293f..5bfd274a247 100644 --- a/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml +++ b/rules/integrations/kubernetes/credential_access_azure_arc_proxy_secret_configmap_access.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/10" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,31 +111,54 @@ FROM logs-kubernetes.audit_logs-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.007" name = "Container API" reference = "https://attack.mitre.org/techniques/T1552/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml index 7e2e716541f..d2956e2aa07 100644 --- a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml +++ b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml b/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml index a8929be63ef..78095ce33eb 100644 --- a/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml +++ b/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -137,3 +137,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.003" +name = "Wordlist Scanning" +reference = "https://attack.mitre.org/techniques/T1595/003/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index 359940c58b7..8d281cecbaf 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/30" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,6 +91,16 @@ kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectr [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.003" +name = "Cloud Groups" +reference = "https://attack.mitre.org/techniques/T1069/003/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" @@ -100,7 +110,6 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml b/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml index 25df5e78816..0a7e58df7b7 100644 --- a/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml +++ b/rules/integrations/kubernetes/execution_anonymous_create_update_patch_pod_request.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -40,6 +40,11 @@ kubernetes.audit.objectRef.resource == "pods" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml index 19a1619b8ab..3d7530a10c0 100644 --- a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml +++ b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/24" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/01/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,3 +78,4 @@ framework = "MITRE ATT&CK" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml index b6fa7170cb4..3ee8f23c9b9 100644 --- a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml +++ b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,6 +79,18 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["user_agent.original"] diff --git a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml index 1dcd69850d3..da9b80ada3d 100644 --- a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml +++ b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/18" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,6 +84,31 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["kubernetes.audit.annotations.authorization_k8s_io/decision", "kubernetes.audit.user.username", "user_agent.original"] diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index a850dfd2023..1ac77ed6803 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index 229f671329b..f19fb4cd1e0 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/06/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,14 +91,26 @@ event.dataset : "kubernetes.audit_logs" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml index ec7881b3507..3a035b3ef2e 100644 --- a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml +++ b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/20" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,3 +106,16 @@ reference = "https://attack.mitre.org/techniques/T1610/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index 15f42caaf18..abd158abb57 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index f68d1d287ff..dad214db728 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml index 550d4cdd47e..a2d144b306f 100644 --- a/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml +++ b/rules/integrations/kubernetes/privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -36,16 +36,16 @@ This rule detects when a user grants or broadens high-risk permissions in a Role ### False positive analysis -- A platform engineer performing an urgent, legitimate RBAC adjustment (e.g., expanding a Role/ClusterRole for a new feature rollout) and then immediately patching or deploying a DaemonSet/Deployment/CronJob as part of the same change window can match this sequence. +- A platform engineer performing an urgent, legitimate RBAC adjustment (e.g., expanding a Role/ClusterRole for a new feature rollout) and then immediately patching or deploying a DaemonSet/Deployment/CronJob as part of the same change window can match this sequence. - A CI/CD pipeline or GitOps-style workflow using a non-system:masters identity may update RBAC manifests and then apply workload updates within minutes during routine releases, producing this pattern without malicious intent. ### Response and remediation -- Immediately revoke or roll back the risky Role/ClusterRole changes and remove any new/updated RoleBinding/ClusterRoleBinding that ties the elevated permissions to the triggering user or service account. -- Quarantine the modified Deployment/DaemonSet/CronJob by scaling it to zero or deleting it and cordon/drain affected nodes if pods ran privileged, used hostPath mounts, or executed on many nodes. -- Rotate credentials and access paths exposed through the workload (service account tokens, kubeconfig files, mounted secrets, cloud keys) and invalidate any newly issued tokens tied to the actor. -- For eradication and recovery, redeploy workloads from trusted Git/registry sources, block the suspicious images/digests in admission controls, and verify no persistence remains via CronJobs, DaemonSets, webhook configurations, or additional RBAC bindings. -- Escalate to incident response and platform leadership if the RBAC change included wildcard permissions or escalation verbs, if the workload ran privileged/hostNetwork/hostPID, or if sensitive secrets were accessed or exfiltration is suspected. +- Immediately revoke or roll back the risky Role/ClusterRole changes and remove any new/updated RoleBinding/ClusterRoleBinding that ties the elevated permissions to the triggering user or service account. +- Quarantine the modified Deployment/DaemonSet/CronJob by scaling it to zero or deleting it and cordon/drain affected nodes if pods ran privileged, used hostPath mounts, or executed on many nodes. +- Rotate credentials and access paths exposed through the workload (service account tokens, kubeconfig files, mounted secrets, cloud keys) and invalidate any newly issued tokens tied to the actor. +- For eradication and recovery, redeploy workloads from trusted Git/registry sources, block the suspicious images/digests in admission controls, and verify no persistence remains via CronJobs, DaemonSets, webhook configurations, or additional RBAC bindings. +- Escalate to incident response and platform leadership if the RBAC change included wildcard permissions or escalation verbs, if the workload ran privileged/hostNetwork/hostPID, or if sensitive secrets were accessed or exfiltration is suspected. - Harden by enforcing least-privilege RBAC, requiring peer approval for RBAC changes, restricting workload mutations via GitOps-only service accounts, and using admission policies to deny privileged pods, hostPath mounts, and unapproved registries. """ references = [ diff --git a/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml index cd55cbf8734..e1ff2f63e1d 100644 --- a/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml +++ b/rules/integrations/kubernetes/privilege_escalation_sensitive_workload_modification_by_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/03/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -26,24 +26,24 @@ This rule detects allowed create or patch activity against sensitive Kubernetes ### Possible investigation steps -- Retrieve the full audit event for the change and compare it to the most recent prior modification of the same workload to identify what was altered (e.g., image, command/args, env/secret refs, volumes, serviceAccount, securityContext, hostPath/hostNetwork, privileged settings). -- Attribute the action to a real identity by tracing the Kubernetes user to its backing cloud/IAM identity or kubeconfig/cert and validate whether the access path (SSO, token, service account, CI/CD runner) and source network location are expected for that operator. -- Determine blast radius by listing other recent creates/patches by the same identity and from the same origin across namespaces, and check for follow-on actions such as creating RBAC bindings, secrets, or additional controllers. -- Inspect the affected workload’s rollout status and pod specs to confirm whether new pods were created, then review container images, pull registries, and runtime behavior for indicators of compromise (unexpected network egress, crypto-mining, credential access, or exec activity). +- Retrieve the full audit event for the change and compare it to the most recent prior modification of the same workload to identify what was altered (e.g., image, command/args, env/secret refs, volumes, serviceAccount, securityContext, hostPath/hostNetwork, privileged settings). +- Attribute the action to a real identity by tracing the Kubernetes user to its backing cloud/IAM identity or kubeconfig/cert and validate whether the access path (SSO, token, service account, CI/CD runner) and source network location are expected for that operator. +- Determine blast radius by listing other recent creates/patches by the same identity and from the same origin across namespaces, and check for follow-on actions such as creating RBAC bindings, secrets, or additional controllers. +- Inspect the affected workload’s rollout status and pod specs to confirm whether new pods were created, then review container images, pull registries, and runtime behavior for indicators of compromise (unexpected network egress, crypto-mining, credential access, or exec activity). - Validate the change against an approved deployment workflow by correlating with GitOps/CI commit history and change tickets, and if unapproved, contain by scaling down/rolling back the workload and revoking the credential or token used. ### False positive analysis -- A legitimate on-call engineer performs an emergency `kubectl` create/patch to a Deployment/CronJob/DaemonSet from a new workstation, VPN egress IP, or updated kubectl version, producing an unusual user_agent/source IP/username combination despite being authorized. +- A legitimate on-call engineer performs an emergency `kubectl` create/patch to a Deployment/CronJob/DaemonSet from a new workstation, VPN egress IP, or updated kubectl version, producing an unusual user_agent/source IP/username combination despite being authorized. - A routine automation path changes (e.g., CI runner or service account rotated/migrated to a new node pool or network segment) and continues applying standard workload updates, causing the same create/patch activity to appear anomalous due to the new origin and client identity. ### Response and remediation -- Immediately pause impact by scaling the modified Deployment/CronJob to zero or deleting the new DaemonSet and stopping any active rollout while preserving the altered manifest for evidence. -- Roll back the workload to the last known-good version from GitOps/CI or prior ReplicaSet/Job template, then redeploy only after verifying container images, init containers, commands, serviceAccount, and privileged/host settings match the approved baseline. -- Revoke and rotate the credential used for the change (user token/cert or service account token), invalidate related kubeconfigs, and review/remove any newly created RBAC bindings, secrets, or service accounts tied to the same actor. -- Quarantine affected nodes and pods for analysis by cordoning/draining nodes that ran the new pods and collecting pod logs, container filesystem snapshots, and network egress details to identify payloads and persistence. -- Escalate to the incident response/on-call security team immediately if the change introduced privileged containers, hostPath mounts, hostNetwork, new external images/registries, or any unexpected DaemonSet creation across multiple nodes. +- Immediately pause impact by scaling the modified Deployment/CronJob to zero or deleting the new DaemonSet and stopping any active rollout while preserving the altered manifest for evidence. +- Roll back the workload to the last known-good version from GitOps/CI or prior ReplicaSet/Job template, then redeploy only after verifying container images, init containers, commands, serviceAccount, and privileged/host settings match the approved baseline. +- Revoke and rotate the credential used for the change (user token/cert or service account token), invalidate related kubeconfigs, and review/remove any newly created RBAC bindings, secrets, or service accounts tied to the same actor. +- Quarantine affected nodes and pods for analysis by cordoning/draining nodes that ran the new pods and collecting pod logs, container filesystem snapshots, and network egress details to identify payloads and persistence. +- Escalate to the incident response/on-call security team immediately if the change introduced privileged containers, hostPath mounts, hostNetwork, new external images/registries, or any unexpected DaemonSet creation across multiple nodes. - Harden by enforcing admission controls to restrict privileged settings and sensitive namespaces, requiring changes via approved automation identities, and tightening RBAC so only designated deployment controllers can create/patch DaemonSets, Deployments, and CronJobs. """ references = [ diff --git a/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml index 0314f867e2f..f869cc079a1 100644 --- a/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml +++ b/rules/integrations/kubernetes/privilege_escalation_service_account_rbac_write_operation.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -35,16 +35,16 @@ This rule detects Kubernetes service accounts performing allowed write actions o ### False positive analysis -- A platform automation running in-cluster (e.g., a controller or CI job using a service account) legitimately applies RBAC manifests during routine deployment, upgrades, or namespace onboarding, resulting in create/patch/update of Roles or RoleBindings. +- A platform automation running in-cluster (e.g., a controller or CI job using a service account) legitimately applies RBAC manifests during routine deployment, upgrades, or namespace onboarding, resulting in create/patch/update of Roles or RoleBindings. - A Kubernetes operator or housekeeping workflow running under a service account intentionally adjusts RBAC as part of maintenance (e.g., rotating access, reconciling drift, or cleaning up obsolete bindings) and triggers allowed delete or update actions on RBAC resources. ### Response and remediation -- Immediately remove or quarantine the offending service account by deleting its RoleBindings/ClusterRoleBindings and restarting or scaling down the owning workload to stop further RBAC writes. -- Revert the unauthorized RBAC object changes by restoring the last known-good Roles/Bindings from GitOps/manifests (or `kubectl rollout undo` where applicable) and verify no new subjects gained wildcard or cluster-admin-equivalent access. -- Rotate credentials by recreating the service account or triggering token re-issuance, deleting any mounted legacy token secrets, and redeploying workloads to ensure old tokens cannot be reused. -- Hunt and eradicate persistence by searching for additional recently modified RBAC objects and newly created service accounts in the same namespaces, then remove unauthorized accounts/bindings and scan the implicated container images for backdoors. -- Escalate to incident response and cluster administrators immediately if any change grants `cluster-admin`, introduces `*` verbs/resources, or binds a service account to privileged ClusterRoles across namespaces. +- Immediately remove or quarantine the offending service account by deleting its RoleBindings/ClusterRoleBindings and restarting or scaling down the owning workload to stop further RBAC writes. +- Revert the unauthorized RBAC object changes by restoring the last known-good Roles/Bindings from GitOps/manifests (or `kubectl rollout undo` where applicable) and verify no new subjects gained wildcard or cluster-admin-equivalent access. +- Rotate credentials by recreating the service account or triggering token re-issuance, deleting any mounted legacy token secrets, and redeploying workloads to ensure old tokens cannot be reused. +- Hunt and eradicate persistence by searching for additional recently modified RBAC objects and newly created service accounts in the same namespaces, then remove unauthorized accounts/bindings and scan the implicated container images for backdoors. +- Escalate to incident response and cluster administrators immediately if any change grants `cluster-admin`, introduces `*` verbs/resources, or binds a service account to privileged ClusterRoles across namespaces. - Harden going forward by enforcing least-privilege RBAC, enabling admission controls to restrict RBAC modifications to approved identities/namespaces, and using short-lived projected service account tokens with workload identity constraints. """ references = [ @@ -110,3 +110,4 @@ reference = "https://attack.mitre.org/techniques/T1098/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml index 6c59087b0b3..22016d9160b 100644 --- a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml +++ b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,3 +107,4 @@ reference = "https://attack.mitre.org/techniques/T1078/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml index a2e6b2e13ee..d7e8c4ec45a 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_process_args.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -95,14 +95,23 @@ Remote Desktop Protocol (RDP) facilitates remote access to systems, often target - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml index db8f0b280e8..c4a9de77ab2 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_mean_rdp_session_duration.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,23 @@ Remote Desktop Protocol (RDP) enables remote access to systems, facilitating adm - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml index b4d4e4a8ff6..8b470800767 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,31 @@ Machine learning models in security environments analyze file transfer patterns - Enhance monitoring and logging for unusual file transfer activities and remote access attempts to improve early detection of similar threats in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1039" +name = "Data from Network Shared Drive" +reference = "https://attack.mitre.org/techniques/T1039/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml index bc0292876e8..28673a7b2a5 100644 --- a/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml +++ b/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,23 @@ Remote Desktop Protocol (RDP) enables remote access to systems, facilitating leg - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml index 04f5ad44500..ea82363e132 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,18 @@ The 'Unusual Remote File Directory' detection leverages machine learning to iden - Update detection mechanisms and rules to enhance monitoring of less common directories and improve the detection of similar threats in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml index 8cc42195af1..60be1f2cb83 100644 --- a/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml +++ b/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -95,14 +95,18 @@ The detection of unusual remote file extensions leverages machine learning to id - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml index 027b7598adf..53517117ac2 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,23 @@ Remote Desktop Protocol (RDP) is a common tool for remote management, but advers - Update and enhance monitoring rules to detect similar patterns of unusual RDP connection spikes, ensuring early detection of future attempts.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml index e511ab60262..fb2dd4c72d8 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -95,14 +95,23 @@ Remote Desktop Protocol (RDP) is crucial for remote management and troubleshooti - Update and enhance monitoring rules to detect similar patterns of unusual RDP connection spikes in the future, ensuring quick identification and response to potential threats.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml index d5bcf1bf496..c39a26c3580 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_rdp_processes.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -94,14 +94,23 @@ Remote Desktop Protocol (RDP) allows users to connect to other computers over a - Enhance monitoring and detection capabilities for RDP sessions by implementing stricter access controls and logging to detect similar anomalies in the future.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml index d66e8ddd4dc..a0665035521 100644 --- a/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml +++ b/rules/integrations/lmd/lateral_movement_ml_spike_in_remote_file_transfers.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -97,14 +97,18 @@ Remote file transfer technologies facilitate data sharing across networks, essen - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml index be5de02f9db..c989b30fde8 100644 --- a/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml +++ b/rules/integrations/lmd/lateral_movement_ml_unusual_time_for_an_rdp_session.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/12" integration = ["lmd", "endpoint"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] anomaly_threshold = 70 @@ -96,14 +96,23 @@ Remote Desktop Protocol (RDP) enables remote access to systems, crucial for IT m - Implement enhanced monitoring on the affected system and related network segments to detect any further suspicious activities or attempts at unauthorized access.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml index 1ad36ca53cc..3b6bdd9ca93 100644 --- a/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml +++ b/rules/integrations/o365/collection_exchange_mailbox_access_by_unusual_client_app_id.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/18" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -169,17 +169,17 @@ event.dataset: "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" diff --git a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml index e79eaca74da..4dda806d2f7 100644 --- a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml +++ b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/19" integration = ["o365"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -150,6 +150,16 @@ reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1020" +name = "Automated Exfiltration" +reference = "https://attack.mitre.org/techniques/T1020/" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml b/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml index f2e5eb1098f..306442c5bcd 100644 --- a/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml +++ b/rules/integrations/o365/collection_sharepoint_file_download_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/24" integration = ["o365"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,26 +86,27 @@ event.dataset: "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1213" name = "Data from Information Repositories" reference = "https://attack.mitre.org/techniques/T1213/" + [[rule.threat.technique.subtechnique]] id = "T1213.002" name = "Sharepoint" reference = "https://attack.mitre.org/techniques/T1213/002/" - [[rule.threat.technique]] id = "T1530" name = "Data from Cloud Storage" reference = "https://attack.mitre.org/techniques/T1530/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -114,3 +115,20 @@ id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml index bcad5515b25..7f28c7920d8 100644 --- a/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml +++ b/rules/integrations/o365/credential_access_entra_id_device_reg_via_oauth_redirection.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -58,6 +58,7 @@ tags = [ "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "eql" @@ -75,48 +76,49 @@ sequence by related.user with maxspan=30m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.005" name = "Device Registration" reference = "https://attack.mitre.org/techniques/T1098/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml b/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml index d9d60e52102..0f2f0e73253 100644 --- a/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml +++ b/rules/integrations/o365/credential_access_identity_user_account_lockouts.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/10" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -68,6 +68,7 @@ tags = [ "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "esql" @@ -153,3 +154,19 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml index 692780a6416..f6a7afa5ec2 100644 --- a/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml +++ b/rules/integrations/o365/defense_evasion_entra_id_susp_oauth2_authorization.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/01" integration = ["o365"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -188,48 +188,59 @@ from logs-o365.audit-* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/defense_evasion_exchange_anti_phish_policy_deletion.toml index c1cad5d40cc..dbdd60ecb75 100644 --- a/rules/integrations/o365/defense_evasion_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_exchange_anti_phish_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,18 +85,23 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_dkim_signing_config_disabled.toml index 07af6dc660d..004e5b760f0 100644 --- a/rules/integrations/o365/defense_evasion_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_dkim_signing_config_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,18 +78,23 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml index 8574d32b915..110b2b65dbd 100644 --- a/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_exchange_dlp_policy_removed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,11 +80,16 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" diff --git a/rules/integrations/o365/defense_evasion_exchange_exchange_safelinks_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_exchange_safelinks_disabled.toml index 2291a229ffe..ec6089b3a23 100644 --- a/rules/integrations/o365/defense_evasion_exchange_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_exchange_safelinks_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,18 +83,23 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml index 1a63debc029..be7927c5f2b 100644 --- a/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml +++ b/rules/integrations/o365/defense_evasion_exchange_mailbox_audit_bypass_association.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/13" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,23 +75,31 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique.subtechnique]] -id = "T1562.008" -name = "Disable or Modify Cloud Logs" -reference = "https://attack.mitre.org/techniques/T1562/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml index 9b65cad7179..c42fdc66200 100644 --- a/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,18 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml index aeb5c15781c..c8313e37974 100644 --- a/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_exchange_malware_filter_rule_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,23 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml b/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml index 146cb01f008..b902db463ca 100644 --- a/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml +++ b/rules/integrations/o365/defense_evasion_exchange_new_inbox_rule_delete_or_move.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/22" integration = ["o365"] maturity = "production" -updated_date = "2026/01/29" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Jamie Lee", "Marco Pedrinazzi"] @@ -119,22 +119,39 @@ event.dataset: "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.008" name = "Email Hiding Rules" reference = "https://attack.mitre.org/techniques/T1564/008/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1137" +name = "Office Application Startup" +reference = "https://attack.mitre.org/techniques/T1137/" + +[[rule.threat.technique.subtechnique]] +id = "T1137.005" +name = "Outlook Rules" +reference = "https://attack.mitre.org/techniques/T1137/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["user.id", "source.ip"] diff --git a/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml index 42f4af5cf54..36613ec061d 100644 --- a/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_exchange_safe_attach_rule_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,18 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml b/rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml index 60c6d104619..a059221e92f 100644 --- a/rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml +++ b/rules/integrations/o365/defense_evasion_mfa_notification_email_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/25" integration = ["o365"] maturity = "production" -updated_date = "2026/02/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,17 +106,36 @@ web where event.dataset == "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.008" name = "Clear Mailbox Data" reference = "https://attack.mitre.org/techniques/T1070/008/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.005" +name = "Device Registration" +reference = "https://attack.mitre.org/techniques/T1098/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml b/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml index 7b81c5b2bd0..8d5e9e22b20 100644 --- a/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml +++ b/rules/integrations/o365/defense_evasion_sharepoint_sharing_policy_weakened.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/27" integration = ["o365"] maturity = "production" -updated_date = "2026/02/27" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -107,10 +107,17 @@ event.dataset: "o365.audit" and event.provider: ("SharePoint" or "OneDrive") and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" @@ -120,4 +127,3 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml index 98575d9075a..9353dbcbee6 100644 --- a/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/defense_evasion_teams_custom_app_interaction_allowed.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,14 +80,18 @@ o365.audit.NewValue:True and event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml b/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml index a83611522d5..570299d5b44 100644 --- a/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml +++ b/rules/integrations/o365/defense_evasion_teams_external_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,14 +78,18 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml index cc943708bc7..b236dee5b22 100644 --- a/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,14 +78,31 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1114" +name = "Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/" + +[[rule.threat.technique.subtechnique]] +id = "T1114.003" +name = "Email Forwarding Rule" +reference = "https://attack.mitre.org/techniques/T1114/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml index ed1b40e8736..8ab9e702ec7 100644 --- a/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml +++ b/rules/integrations/o365/exfiltration_exchange_transport_rule_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,14 +79,31 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1537" name = "Transfer Data to Cloud Account" reference = "https://attack.mitre.org/techniques/T1537/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml index 2a6f4711e02..3cd8b3f6c63 100644 --- a/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_security_compliance_potential_ransomware_activity.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -86,14 +86,23 @@ event.dataset:o365.audit and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1486" name = "Data Encrypted for Impact" reference = "https://attack.mitre.org/techniques/T1486/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml index f38c9c8e7ab..10b2649fc72 100644 --- a/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml +++ b/rules/integrations/o365/initial_access_entra_id_portal_login_impossible_travel.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/04" integration = ["o365"] maturity = "production" -updated_date = "2025/10/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,17 +93,17 @@ event.dataset:o365.audit and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml b/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml index 50995758898..a593f424e70 100644 --- a/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml +++ b/rules/integrations/o365/initial_access_identity_illicit_consent_grant_via_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/24" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,34 +102,47 @@ event.dataset: "o365.audit" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml b/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml index f97a3f4fe2b..72c07c33077 100644 --- a/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml +++ b/rules/integrations/o365/initial_access_identity_oauth_phishing_via_first_party_microsoft_application.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/23" integration = ["o365"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,29 +141,46 @@ event.dataset: "o365.audit" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml b/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml index bf11a1e50c2..f448ef4d4f1 100644 --- a/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml +++ b/rules/integrations/o365/initial_access_identity_unusual_sso_errors_for_user.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2026/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -103,27 +103,49 @@ event.dataset:o365.audit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + +[[rule.threat.technique]] +id = "T1606" +name = "Forge Web Credentials" +reference = "https://attack.mitre.org/techniques/T1606/" + +[[rule.threat.technique.subtechnique]] +id = "T1606.002" +name = "SAML Tokens" +reference = "https://attack.mitre.org/techniques/T1606/002/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.UserId", "o365.audit.ErrorNumber"] diff --git a/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml index 1768e604eac..6a188c194de 100644 --- a/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_entra_id_global_administrator_role_assign.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/06" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,36 @@ event.dataset:o365.audit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/o365/persistence_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml index 3618f364ed9..bb5accb60cd 100644 --- a/rules/integrations/o365/persistence_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_exchange_management_role_assignment.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,18 +84,36 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml index 71b93df4cac..268f01b506b 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_permission_delegation.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -116,22 +116,39 @@ field_names = [ [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.002" name = "Additional Email Delegate Permissions" reference = "https://attack.mitre.org/techniques/T1098/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.002" +name = "Additional Email Delegate Permissions" +reference = "https://attack.mitre.org/techniques/T1098/002/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["o365.audit.UserId"] diff --git a/rules/integrations/o365/persistence_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_teams_guest_access_enabled.toml index ef65532a6c5..7e3c706e1f9 100644 --- a/rules/integrations/o365/persistence_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_teams_guest_access_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,14 +78,26 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml index 6b821fb7bfe..51e1c706f72 100644 --- a/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_exchange_new_or_modified_federation_domain.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["o365"] maturity = "production" -updated_date = "2025/12/10" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -83,19 +83,36 @@ event.outcome:success [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.002" name = "Trust Modification" reference = "https://attack.mitre.org/techniques/T1484/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index a7c2689ef36..39689dd40f6 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,12 +81,12 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1111" name = "Multi-Factor Authentication Interception" reference = "https://attack.mitre.org/techniques/T1111/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 0c7a8ec869e..e7ef9688ee1 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -79,17 +79,26 @@ event.dataset:okta.system and event.action:user.account.lock [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.threshold] field = ["okta.actor.alternate_id"] value = 3 diff --git a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml index 032c715eb49..9480d17099e 100644 --- a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml +++ b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/10" integration = ["okta"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,32 +92,44 @@ event.dataset:okta.system [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" [[rule.threat.technique.subtechnique]] id = "T1110.004" name = "Credential Stuffing" reference = "https://attack.mitre.org/techniques/T1110/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.threshold] field = ["okta.debug_context.debug_data.dt_hash"] value = 1 diff --git a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml index 03486d8b6ad..46a0131cce9 100644 --- a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml +++ b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/08" integration = ["okta"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,14 +107,31 @@ from logs-okta* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1539/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.004" +name = "Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1550/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml index 208243ef930..a71ae74e7dd 100644 --- a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml +++ b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/22" integration = ["okta"] maturity = "production" -updated_date = "2025/10/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,12 +79,12 @@ data_stream.dataset: "okta.system" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1539/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml b/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml index 463bd891fd3..52bd075b206 100644 --- a/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml +++ b/rules/integrations/okta/credential_access_okta_aitm_session_cookie_replay.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/26" integration = ["okta"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,6 +89,7 @@ tags = [ "Tactic: Credential Access", "Tactic: Lateral Movement", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "esql" @@ -159,29 +160,31 @@ FROM logs-okta.system-* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1539/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.004" name = "Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1550/004/" [rule.threat.tactic] -id = "TA0008" -name = "Lateral Movement" -reference = "https://attack.mitre.org/tactics/TA0008/" - +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml index a27b743a262..223874210c3 100644 --- a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,29 +113,23 @@ from logs-okta* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" + [[rule.threat.technique.subtechnique]] id = "T1110.003" name = "Password Spraying" reference = "https://attack.mitre.org/techniques/T1110/003/" - -[[rule.threat.technique]] -id = "T1110" -name = "Brute Force" -reference = "https://attack.mitre.org/techniques/T1110/" [[rule.threat.technique.subtechnique]] id = "T1110.004" name = "Credential Stuffing" reference = "https://attack.mitre.org/techniques/T1110/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml b/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml index 72b54d82017..c44cebb4c05 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_device_token_rotation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,14 +122,18 @@ FROM logs-okta.system-* METADATA _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml index 81619833eb3..dcb805b61e1 100644 --- a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -updated_date = "2025/09/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,14 +100,31 @@ sequence by okta.actor.id with maxspan=10m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1621" name = "Multi-Factor Authentication Request Generation" reference = "https://attack.mitre.org/techniques/T1621/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml index ad755fa3b9a..e9241ff3031 100644 --- a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/05" integration = ["okta"] maturity = "production" -updated_date = "2025/09/10" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,14 +102,31 @@ sequence by okta.actor.id with maxspan=10m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1621" name = "Multi-Factor Authentication Request Generation" reference = "https://attack.mitre.org/techniques/T1621/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index eef4992bb6a..ac2b3ea1aad 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/22" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,3 +80,20 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index 5291da1293e..752ebc8c231 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,19 +81,28 @@ event.dataset:okta.system and event.action:zone.deactivate [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml index c2ae0981e52..952fb62b7ca 100644 --- a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml +++ b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/11" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,22 +88,31 @@ event.dataset: okta.system [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["okta.actor.display_name"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index afb56b6df29..b1071d0ebbe 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,19 +88,28 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 497da81d4d9..a62d5f3a540 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,23 @@ event.dataset:okta.system and event.action:policy.rule.deactivate [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index d15fdf5794f..b255db54235 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/28" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,19 +88,46 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index 5b253b86daa..b11ae8c912b 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,23 @@ event.dataset:okta.system and event.action:policy.rule.delete [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 2811f0d54cf..4c429ca0f58 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,23 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index 2be46aca15c..e2e4e61c60e 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,19 +76,28 @@ event.dataset:okta.system and event.action:policy.lifecycle.update [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index b163bbcf480..72e4c5ff146 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,19 +85,23 @@ event.dataset:okta.system and event.action:policy.rule.update [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 8c9739a98ea..3dba3d705cc 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -82,41 +82,57 @@ event.dataset:okta.system and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [rule.threshold] field = ["okta.actor.alternate_id"] value = 5 diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index 121e67e54ef..ce1e17c9cf2 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,14 +78,13 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index ade1997e494..e99fc028bfc 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,13 @@ event.dataset:okta.system and event.action:application.lifecycle.delete [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index 79b6707bfb6..3d7fbd734dc 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,4 +90,3 @@ framework = "MITRE ATT&CK" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index 52c88d548de..91960faaa25 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,6 +78,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1498" name = "Network Denial of Service" @@ -88,9 +89,17 @@ id = "T1499" name = "Endpoint Denial of Service" reference = "https://attack.mitre.org/techniques/T1499/" +[[rule.threat.technique.subtechnique]] +id = "T1499.002" +name = "Service Exhaustion Flood" +reference = "https://attack.mitre.org/techniques/T1499/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1499.003" +name = "Application Exhaustion Flood" +reference = "https://attack.mitre.org/techniques/T1499/003/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml index 10d46662b9a..9c026e9aac9 100644 --- a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml +++ b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,12 +75,22 @@ event.dataset:okta.system and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [[rule.threat.technique]] id = "T1133" name = "External Remote Services" reference = "https://attack.mitre.org/techniques/T1133/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml index 286487e6a10..80b6b71f2ba 100644 --- a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml +++ b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/07" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -82,14 +82,18 @@ event.dataset:okta.system and event.category:authentication and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index d157ea4686f..701332ba9c9 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/14" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -65,6 +65,7 @@ tags = [ "Use Case: Identity and Access Audit", "Data Source: Okta", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "query" @@ -76,23 +77,22 @@ event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -100,6 +100,7 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -107,4 +108,3 @@ framework = "MITRE ATT&CK" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml index 3980b66a6b4..8589d5de25a 100644 --- a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml +++ b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/01/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,6 +74,7 @@ tags = [ "Tactic: Initial Access", "Data Source: Okta", "Resources: Investigation Guide", + ] timestamp_override = "event.ingested" type = "new_terms" @@ -111,14 +112,31 @@ value = "now-5d" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1199" name = "Trusted Relationship" reference = "https://attack.mitre.org/techniques/T1199/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml index 2a87b962d34..b44a3a4bf4a 100644 --- a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml +++ b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/07" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,11 +78,16 @@ event.dataset: "okta.system" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml index fdf12c3e90b..25a9fa908ba 100644 --- a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +++ b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,17 +87,17 @@ event.dataset:okta.system [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.004" name = "Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1550/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 859394bc1c4..2d50aeeea9a 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,14 +86,31 @@ event.dataset:okta.system and event.action:group.privilege.grant [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 4e3bb956cee..ae9abcc159f 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,14 +92,36 @@ event.dataset:okta.system [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index 3d49244c971..110fba31686 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,14 +85,23 @@ event.dataset:okta.system and event.action:system.api_token.create [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index 399af2398c6..7b826d1c120 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,14 +86,31 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml index 3f356b7f3ee..04ca3459ae7 100644 --- a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml +++ b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" integration = ["okta"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,19 +85,36 @@ sequence by okta.target.id with maxspan=12h [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.006" name = "Multi-Factor Authentication" reference = "https://attack.mitre.org/techniques/T1556/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.006" +name = "Multi-Factor Authentication" +reference = "https://attack.mitre.org/techniques/T1556/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml index ec410cc91fd..96b1ea065fd 100644 --- a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml +++ b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,19 +76,46 @@ event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.007" name = "Hybrid Identity" reference = "https://attack.mitre.org/techniques/T1556/007/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[[rule.threat.technique.subtechnique]] +id = "T1484.002" +name = "Trust Modification" +reference = "https://attack.mitre.org/techniques/T1484/002/" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.007" +name = "Hybrid Identity" +reference = "https://attack.mitre.org/techniques/T1556/007/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index b85da21efcb..c9f05289582 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/01" integration = ["okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,14 +86,36 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.009" +name = "Conditional Access Policies" +reference = "https://attack.mitre.org/techniques/T1556/009/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml index 95c5b7cbd46..8fe48c52427 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml index cea8bce82f4..edb900374fd 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -90,14 +90,26 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml index c25efcf1291..9a2e727746b 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,14 +88,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml index 225018502ae..7b479bfd9c8 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,6 +89,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -99,9 +100,20 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml index 1387bf22786..e2754c6f00b 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,36 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml index f79d485a9c4..eddc6f5cc81 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,31 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml index 938ae0eef73..9568430174e 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,14 +88,31 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml index f84ac248bfd..5d92fbdb973 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,6 +88,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -103,9 +104,20 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml index 14c6f23bdb1..e1575db67f9 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,6 +88,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -98,9 +99,35 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml index abd5652b01f..1a67cb5a82f 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,6 +88,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -98,9 +99,25 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml index 51b64715dc1..6861aead8f9 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,6 +88,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -103,9 +104,20 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml index 6a80f4a7bd4..e394e67f94b 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -87,6 +87,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -97,9 +98,25 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml index bf61284eae9..b3949f019b3 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -90,6 +90,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -100,9 +101,30 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml index d287e6828b1..78f44f6aa21 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -87,6 +87,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -97,9 +98,12 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml index 581372213fe..84704015718 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,6 +89,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -99,9 +100,25 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml index ece76dfc05e..655cc425870 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,6 +89,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -99,9 +100,30 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml index 3ddc61961fd..8651e7f6c41 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,26 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml index afb390d2236..539df8411c5 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -91,6 +91,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -101,21 +102,48 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml index f7407fd1638..c8216dd03c8 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,6 +89,7 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -99,9 +100,25 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml index c3078e43d19..697850d9351 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -89,14 +89,26 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml index e62fe19f6d7..af481beafbb 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -88,14 +88,26 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml index abb8bb47e03..f0e3a9b3eb4 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -94,14 +94,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml index 513d1a8b875..182abe9bb6f 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -94,14 +94,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index 22b4da6597d..9e43cb9de27 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -93,14 +93,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index 7b94ae3ca14..1d01817a6fc 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -95,14 +95,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index a5b82dcbbf8..9202b9bc1d7 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -95,14 +95,18 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml index 2bbc37b2ccd..543cda8067c 100644 --- a/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml +++ b/rules/linux/command_and_control_aws_cli_endpoint_url_used.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/21" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,11 +94,15 @@ id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index cab972324d4..595b48de83d 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/16" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -156,6 +156,11 @@ sequence by host.id, process.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -172,6 +177,11 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml b/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml index 5356874e6a6..a5c56ca1d6e 100644 --- a/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml +++ b/rules/linux/command_and_control_cupsd_foomatic_rip_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,6 +127,16 @@ reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" @@ -152,3 +162,16 @@ framework = "MITRE ATT&CK" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/command_and_control_curl_socks_proxy_detected.toml b/rules/linux/command_and_control_curl_socks_proxy_detected.toml index cfdde4aab58..f9a315aebd8 100644 --- a/rules/linux/command_and_control_curl_socks_proxy_detected.toml +++ b/rules/linux/command_and_control_curl_socks_proxy_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,16 @@ Curl is a versatile command-line tool used for transferring data with URLs, ofte [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.002" +name = "External Proxy" +reference = "https://attack.mitre.org/techniques/T1090/002/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml index 64968e762a3..a874dbd6731 100644 --- a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml +++ b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -174,3 +174,21 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml b/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml index 8e5b77e396f..2f8b7c39e64 100644 --- a/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml +++ b/rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,6 +121,16 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/command_and_control_ip_forwarding_activity.toml b/rules/linux/command_and_control_ip_forwarding_activity.toml index f810448aa2e..50818104f4f 100644 --- a/rules/linux/command_and_control_ip_forwarding_activity.toml +++ b/rules/linux/command_and_control_ip_forwarding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,6 +92,16 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.001" +name = "Internal Proxy" +reference = "https://attack.mitre.org/techniques/T1090/001/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_kubectl_networking_modification.toml b/rules/linux/command_and_control_kubectl_networking_modification.toml index 7eb417f4e4d..24c8efd7c55 100644 --- a/rules/linux/command_and_control_kubectl_networking_modification.toml +++ b/rules/linux/command_and_control_kubectl_networking_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_de maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,16 +122,16 @@ process.name == "kubectl" and ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1572" -name = "Protocol Tunneling" -reference = "https://attack.mitre.org/techniques/T1572/" - [[rule.threat.technique]] id = "T1090" name = "Proxy" reference = "https://attack.mitre.org/techniques/T1090/" +[[rule.threat.technique]] +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index 2f6eb95ac5b..9cda5267dd7 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -163,6 +163,11 @@ sequence by host.id, process.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml index acd204dae9a..2895259e81d 100644 --- a/rules/linux/command_and_control_linux_kworker_netcon.toml +++ b/rules/linux/command_and_control_linux_kworker_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,6 +128,11 @@ id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -145,7 +150,6 @@ reference = "https://attack.mitre.org/techniques/T1041/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - [rule.new_terms] field = "new_terms_fields" value = ["process.name", "host.id"] diff --git a/rules/linux/command_and_control_linux_proxychains_activity.toml b/rules/linux/command_and_control_linux_proxychains_activity.toml index c86530e3580..409f98fe875 100644 --- a/rules/linux/command_and_control_linux_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_proxychains_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -139,6 +139,16 @@ process.name == "proxychains" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.003" +name = "Multi-hop Proxy" +reference = "https://attack.mitre.org/techniques/T1090/003/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml index b4d383c26e2..8cc7c5858d7 100644 --- a/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml +++ b/rules/linux/command_and_control_linux_ssh_x11_forwarding.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -134,14 +134,31 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index 6af65daf2cc..12dfb33d13d 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -169,6 +169,16 @@ process.name == "proxychains" and process.args : ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.003" +name = "Multi-hop Proxy" +reference = "https://attack.mitre.org/techniques/T1090/003/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index a32949a8673..6bccac5ae54 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -193,6 +193,21 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml b/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml index 971d4da2b10..7125dd7bc96 100644 --- a/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml +++ b/rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,11 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_potential_tunneling_command_line.toml b/rules/linux/command_and_control_potential_tunneling_command_line.toml index f0209e6a64a..075f98f32fd 100644 --- a/rules/linux/command_and_control_potential_tunneling_command_line.toml +++ b/rules/linux/command_and_control_potential_tunneling_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/12" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/12" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -170,6 +170,11 @@ process.command_line regex """.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index a89abcbc982..a50b571510c 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -219,6 +219,33 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/command_and_control_telegram_api_request.toml b/rules/linux/command_and_control_telegram_api_request.toml index 7c6867e61ea..ee1d8633459 100644 --- a/rules/linux/command_and_control_telegram_api_request.toml +++ b/rules/linux/command_and_control_telegram_api_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,17 +120,27 @@ process.name in ("curl", "wget") and process.command_line like "*api.telegram.or [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" - - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index be519817da2..4146d2eb91d 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -177,6 +177,11 @@ process.args : "-s" and process.args : "-d" and process.args : "rssocks" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/linux/credential_access_aws_creds_search_inside_container.toml b/rules/linux/credential_access_aws_creds_search_inside_container.toml index 77439cd442d..809b7166137 100644 --- a/rules/linux/credential_access_aws_creds_search_inside_container.toml +++ b/rules/linux/credential_access_aws_creds_search_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,3 +116,29 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 71d52ec71c9..537425e980b 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/22" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -171,6 +171,11 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" @@ -185,7 +190,6 @@ reference = "https://attack.mitre.org/techniques/T1560/001/" id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line", "process.parent.executable"] diff --git a/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml index 417321d89b0..160f0356f1d 100644 --- a/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml +++ b/rules/linux/credential_access_collection_sensitive_files_compression_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,6 +119,11 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index 777c602f05e..4b773d25664 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,3 +121,16 @@ reference = "https://attack.mitre.org/techniques/T1003/008/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_gdb_init_process_hooking.toml b/rules/linux/credential_access_gdb_init_process_hooking.toml index 646c05881fc..fe09ce66225 100644 --- a/rules/linux/credential_access_gdb_init_process_hooking.toml +++ b/rules/linux/credential_access_gdb_init_process_hooking.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,16 @@ reference = "https://attack.mitre.org/techniques/T1003/007/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_gdb_process_hooking.toml b/rules/linux/credential_access_gdb_process_hooking.toml index af461be6f71..a8d9e3c988d 100644 --- a/rules/linux/credential_access_gdb_process_hooking.toml +++ b/rules/linux/credential_access_gdb_process_hooking.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,36 @@ process.args != "1" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.007" name = "Proc Filesystem" reference = "https://attack.mitre.org/techniques/T1003/007/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[[rule.threat.technique.subtechnique]] +id = "T1055.008" +name = "Ptrace System Calls" +reference = "https://attack.mitre.org/techniques/T1055/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/credential_access_gh_auth_via_nodejs.toml b/rules/linux/credential_access_gh_auth_via_nodejs.toml index 1ab982a0861..0fbe0239223 100644 --- a/rules/linux/credential_access_gh_auth_via_nodejs.toml +++ b/rules/linux/credential_access_gh_auth_via_nodejs.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/18" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -69,16 +69,16 @@ process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -96,3 +96,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/credential_access_kubernetes_service_account_secret_access.toml b/rules/linux/credential_access_kubernetes_service_account_secret_access.toml index b4054ccf7f8..a81e911e3b7 100644 --- a/rules/linux/credential_access_kubernetes_service_account_secret_access.toml +++ b/rules/linux/credential_access_kubernetes_service_account_secret_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,15 +134,20 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" -[[rule.threat.technique]] -id = "T1528" -name = "Steal Application Access Token" -reference = "https://attack.mitre.org/techniques/T1528/" +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" @@ -161,3 +166,16 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_manual_memory_dumping.toml b/rules/linux/credential_access_manual_memory_dumping.toml index d6f5ffe2135..5cfc95bc8ce 100644 --- a/rules/linux/credential_access_manual_memory_dumping.toml +++ b/rules/linux/credential_access_manual_memory_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,3 +129,16 @@ reference = "https://attack.mitre.org/techniques/T1212/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index 020628dd4f9..968fb29c84f 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,3 +115,21 @@ reference = "https://attack.mitre.org/techniques/T1110/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml index 8f8c9f7c185..f49bfa664f9 100644 --- a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/14" integration = ["system"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,3 +117,16 @@ reference = "https://attack.mitre.org/techniques/T1110/003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index f543e3ff547..1ffd1eadd04 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,3 +131,16 @@ reference = "https://attack.mitre.org/techniques/T1212/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml b/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml index 0b636c1f0b6..a1fe4c1add7 100644 --- a/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml +++ b/rules/linux/credential_access_sensitive_keys_or_passwords_search_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,3 +117,16 @@ reference = "https://attack.mitre.org/techniques/T1552/001/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 1a136471d12..90c1c3704e2 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -170,3 +170,21 @@ reference = "https://attack.mitre.org/techniques/T1554/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" + +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml b/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml index feb93587467..449714c3174 100644 --- a/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml +++ b/rules/linux/credential_access_ssh_password_grabbing_via_strace.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,6 +76,11 @@ sequence by host.id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1056" +name = "Input Capture" +reference = "https://attack.mitre.org/techniques/T1056/" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" diff --git a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml index c58ad162a18..effcb209566 100644 --- a/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml +++ b/rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/22" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/29" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -182,31 +182,41 @@ sequence by host.id, process.parent.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + [[rule.threat.technique]] id = "T1580" name = "Cloud Infrastructure Discovery" reference = "https://attack.mitre.org/techniques/T1580/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml index 6b076f4a605..b340bee6522 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,3 +123,16 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index f1d091298b1..eea9e5baea5 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,7 +127,25 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" +[[rule.threat.technique.subtechnique]] +id = "T1562.004" +name = "Disable or Modify System Firewall" +reference = "https://attack.mitre.org/techniques/T1562/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 716db12a621..b3ff2f7b3f7 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,3 +141,16 @@ reference = "https://attack.mitre.org/techniques/T1562/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml index b1c2b0ae4e9..a7383503df1 100644 --- a/rules/linux/defense_evasion_authorized_keys_file_deletion.toml +++ b/rules/linux/defense_evasion_authorized_keys_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,3 +118,16 @@ reference = "https://attack.mitre.org/techniques/T1070/004/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 5b514d442b2..11e14f7ebb2 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/17" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,3 +142,21 @@ reference = "https://attack.mitre.org/techniques/T1140/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1132" +name = "Data Encoding" +reference = "https://attack.mitre.org/techniques/T1132/" + +[[rule.threat.technique.subtechnique]] +id = "T1132.001" +name = "Standard Encoding" +reference = "https://attack.mitre.org/techniques/T1132/001/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/defense_evasion_base64_decoding_activity.toml b/rules/linux/defense_evasion_base64_decoding_activity.toml index 375a8b62e4e..d0fee31c966 100644 --- a/rules/linux/defense_evasion_base64_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -201,6 +201,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" diff --git a/rules/linux/defense_evasion_bpf_program_tampering.toml b/rules/linux/defense_evasion_bpf_program_tampering.toml index f23dcdf2669..9c269d4eed0 100644 --- a/rules/linux/defense_evasion_bpf_program_tampering.toml +++ b/rules/linux/defense_evasion_bpf_program_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,6 +89,11 @@ process.name == "bpftool" and ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" @@ -99,11 +104,6 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" -[[rule.threat.technique]] -id = "T1014" -name = "Rootkit" -reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml b/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml index 05fae4d0549..2f28952308b 100644 --- a/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml +++ b/rules/linux/defense_evasion_curl_or_wget_executed_via_lolbin.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -144,46 +144,56 @@ sequence with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1202" +name = "Indirect Command Execution" +reference = "https://attack.mitre.org/techniques/T1202/" - [[rule.threat.technique]] - id = "T1218" - name = "System Binary Proxy Execution" - reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - id = "TA0011" - name = "Command and Control" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - id = "TA0010" - name = "Exfiltration" - reference = "https://attack.mitre.org/tactics/TA0010/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/linux/defense_evasion_directory_creation_in_bin.toml b/rules/linux/defense_evasion_directory_creation_in_bin.toml index 450965c1864..e1b62a2cde4 100644 --- a/rules/linux/defense_evasion_directory_creation_in_bin.toml +++ b/rules/linux/defense_evasion_directory_creation_in_bin.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,6 +108,16 @@ not process.parent.executable in ("/usr/bin/make", "/bin/make") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" diff --git a/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml b/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml index 8f0a8af6a0e..c0e2fdee593 100644 --- a/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml +++ b/rules/linux/defense_evasion_doas_configuration_creation_or_rename.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -112,3 +112,21 @@ reference = "https://attack.mitre.org/techniques/T1548/003/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml index 92d844476c3..7a626cecbc5 100644 --- a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml +++ b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -160,3 +160,21 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 90b9c8b3890..d879a0396bd 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" integration = ["auditd_manager", "crowdstrike", "endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,3 +127,15 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1485" +name = "Data Destruction" +reference = "https://attack.mitre.org/techniques/T1485/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index b838709d6db..7eed59e94d8 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,11 +131,15 @@ id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable", "process.command_line"] diff --git a/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml b/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml index 96000cee0bf..d2550c0373f 100644 --- a/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml +++ b/rules/linux/defense_evasion_hex_payload_execution_via_commandline.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["auditd_manager", "crowdstrike", "endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,6 +116,11 @@ id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" diff --git a/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml b/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml index 62bddb86804..8d95fcc7b4d 100644 --- a/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml +++ b/rules/linux/defense_evasion_hex_payload_execution_via_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -156,6 +156,16 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" diff --git a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml index 46ad1a21591..a2affed2d17 100644 --- a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml +++ b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,10 +124,15 @@ In Linux environments, system users are typically non-interactive and serve spec [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" [[rule.threat.technique]] id = "T1564" @@ -139,6 +144,28 @@ id = "T1564.002" name = "Hidden Users" reference = "https://attack.mitre.org/techniques/T1564/002/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml b/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml index 1ac5aa2f508..c1bb6e2a72d 100644 --- a/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml +++ b/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2026/03/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -126,45 +126,55 @@ sequence by host.id, process.parent.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique]] - name = "Obfuscated Files or Information" - id = "T1027" - reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" - [[rule.threat.technique]] - name = "Deobfuscate/Decode Files or Information" - id = "T1140" - reference = "https://attack.mitre.org/techniques/T1140/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" - - [[rule.threat.technique.subtechnique]] - name = "Malicious File" - id = "T1204.002" - reference = "https://attack.mitre.org/techniques/T1204/002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_kill_command_executed.toml b/rules/linux/defense_evasion_kill_command_executed.toml index 68a5e17a6e7..225fabde9e2 100644 --- a/rules/linux/defense_evasion_kill_command_executed.toml +++ b/rules/linux/defense_evasion_kill_command_executed.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,10 +103,20 @@ process.name:(kill or pkill or killall) and not ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.006" +name = "Indicator Blocking" +reference = "https://attack.mitre.org/techniques/T1562/006/" [[rule.threat.technique]] id = "T1564" @@ -118,24 +128,14 @@ id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" -[[rule.threat.technique]] -name = "Impair Defenses" -id = "T1562" -reference = "https://attack.mitre.org/techniques/T1562/" - -[[rule.threat.technique.subtechnique]] -name = "Indicator Blocking" -id = "T1562.006" -reference = "https://attack.mitre.org/techniques/T1562/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -146,6 +146,23 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable"] diff --git a/rules/linux/defense_evasion_kthreadd_masquerading.toml b/rules/linux/defense_evasion_kthreadd_masquerading.toml index 847734d3990..e002b267bf6 100644 --- a/rules/linux/defense_evasion_kthreadd_masquerading.toml +++ b/rules/linux/defense_evasion_kthreadd_masquerading.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,6 +116,11 @@ id = "T1036.004" name = "Masquerade Task or Service" reference = "https://attack.mitre.org/techniques/T1036/004/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" diff --git a/rules/linux/defense_evasion_ld_preload_cmdline.toml b/rules/linux/defense_evasion_ld_preload_cmdline.toml index 3ac9270442c..46324c56b74 100644 --- a/rules/linux/defense_evasion_ld_preload_cmdline.toml +++ b/rules/linux/defense_evasion_ld_preload_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,57 +111,74 @@ process.args:-c and process.command_line:(*LD_LIBRARY_PATH=* or *LD_PRELOAD=*) [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Privilege Escalation" - id = "TA0004" - reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name", "process.command_line", "host.id"] diff --git a/rules/linux/defense_evasion_ld_so_creation.toml b/rules/linux/defense_evasion_ld_so_creation.toml index 8559b7e0144..125a2f0289d 100644 --- a/rules/linux/defense_evasion_ld_so_creation.toml +++ b/rules/linux/defense_evasion_ld_so_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,16 @@ id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index f0e1caa086b..227b89f7c69 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,6 +133,11 @@ id = "T1070.002" name = "Clear Linux or Mac System Logs" reference = "https://attack.mitre.org/techniques/T1070/002/" +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index debb67bae1a..f2f493c7d53 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,11 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml b/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml index 14c9ecdfc1d..2a9ade9c742 100644 --- a/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml +++ b/rules/linux/defense_evasion_multi_base64_decoding_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/24" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,45 +120,50 @@ sequence by process.parent.entity_id with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" - [[rule.threat.technique]] - name = "Obfuscated Files or Information" - id = "T1027" - reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" - [[rule.threat.technique]] - name = "Deobfuscate/Decode Files or Information" - id = "T1140" - reference = "https://attack.mitre.org/techniques/T1140/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" - - [[rule.threat.technique.subtechnique]] - name = "Malicious File" - id = "T1204.002" - reference = "https://attack.mitre.org/techniques/T1204/002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_potential_kubectl_impersonation.toml b/rules/linux/defense_evasion_potential_kubectl_impersonation.toml index 105dced6160..2b82e6a07b1 100644 --- a/rules/linux/defense_evasion_potential_kubectl_impersonation.toml +++ b/rules/linux/defense_evasion_potential_kubectl_impersonation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "cloud maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,11 @@ not process.parent.args like ("/snap/microk8s/*/apiservice-kicker", "/snap/micro [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" @@ -134,11 +139,6 @@ id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" @@ -147,17 +147,30 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - [[rule.threat.technique]] id = "T1528" name = "Steal Application Access Token" reference = "https://attack.mitre.org/techniques/T1528/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/defense_evasion_potential_kubectl_masquerading.toml b/rules/linux/defense_evasion_potential_kubectl_masquerading.toml index f68521c8f2e..fb320b6a01b 100644 --- a/rules/linux/defense_evasion_potential_kubectl_masquerading.toml +++ b/rules/linux/defense_evasion_potential_kubectl_masquerading.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "cloud_de maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,7 +153,43 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index 42658fe2b44..e6c652ffe72 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,3 +123,16 @@ reference = "https://attack.mitre.org/techniques/T1036/003/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml index 215cc1c7e9e..3ea1172cea6 100644 --- a/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml +++ b/rules/linux/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,3 +92,47 @@ reference = "https://attack.mitre.org/techniques/T1218/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/defense_evasion_suspicious_path_mounted.toml b/rules/linux/defense_evasion_suspicious_path_mounted.toml index 33accceabc2..fd5d32f0a2c 100644 --- a/rules/linux/defense_evasion_suspicious_path_mounted.toml +++ b/rules/linux/defense_evasion_suspicious_path_mounted.toml @@ -3,7 +3,7 @@ creation_date = "2025/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,6 +114,11 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique.subtechnique]] +id = "T1564.013" +name = "Bind Mounts" +reference = "https://attack.mitre.org/techniques/T1564/013/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml b/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml index 5f5aad743d2..144405b249b 100644 --- a/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml +++ b/rules/linux/defense_evasion_symlink_binary_to_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,26 +90,25 @@ process.parent.args:(/usr/bin/qemu-aarch64-static or /usr/sbin/weak-modules or / [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" - - [[rule.threat.technique]] - name = "Indirect Command Execution" - id = "T1202" - reference = "https://attack.mitre.org/techniques/T1202/" - - [[rule.threat.technique]] - name = "Hide Artifacts" - id = "T1564" - reference = "https://attack.mitre.org/techniques/T1564/" - +[[rule.threat.technique]] +id = "T1202" +name = "Indirect Command Execution" +reference = "https://attack.mitre.org/techniques/T1202/" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.name"] diff --git a/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml b/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml index b1e0758e17c..4f3b999ca1c 100644 --- a/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml +++ b/rules/linux/defense_evasion_sysctl_kernel_feature_activity.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,25 +105,30 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" [[rule.threat.technique]] -name = "Impair Defenses" id = "T1562" +name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" [[rule.threat.technique.subtechnique]] -name = "Indicator Blocking" +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[[rule.threat.technique.subtechnique]] id = "T1562.006" +name = "Indicator Blocking" reference = "https://attack.mitre.org/techniques/T1562/006/" -[[rule.threat.technique]] -name = "Subvert Trust Controls" -id = "T1553" -reference = "https://attack.mitre.org/techniques/T1553/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/linux/defense_evasion_unusual_preload_env_vars.toml b/rules/linux/defense_evasion_unusual_preload_env_vars.toml index fb5343a26bc..518e5acd500 100644 --- a/rules/linux/defense_evasion_unusual_preload_env_vars.toml +++ b/rules/linux/defense_evasion_unusual_preload_env_vars.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -147,6 +147,23 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.env_vars"] diff --git a/rules/linux/defense_evasion_user_or_group_deletion.toml b/rules/linux/defense_evasion_user_or_group_deletion.toml index dcf6cbd1ec0..697f60f577e 100644 --- a/rules/linux/defense_evasion_user_or_group_deletion.toml +++ b/rules/linux/defense_evasion_user_or_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/08" integration = ["system"] maturity = "production" -updated_date = "2026/01/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,3 +94,16 @@ reference = "https://attack.mitre.org/techniques/T1070/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml b/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml index 533fff59b87..9913c5751ec 100644 --- a/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml +++ b/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/11" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,6 +103,16 @@ not process.executable:("./usr/bin/podman" or "./install" or /tmp/vmis.*/install [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.002" +name = "Clear Linux or Mac System Logs" +reference = "https://attack.mitre.org/techniques/T1070/002/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" @@ -143,7 +153,6 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["file.path", "process.executable"] diff --git a/rules/linux/discovery_docker_socket_discovery.toml b/rules/linux/discovery_docker_socket_discovery.toml index 33a3be52adf..73630bb0d5a 100644 --- a/rules/linux/discovery_docker_socket_discovery.toml +++ b/rules/linux/discovery_docker_socket_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,3 +132,16 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/discovery_dynamic_linker_via_od.toml b/rules/linux/discovery_dynamic_linker_via_od.toml index 40420f501f9..242d0bcb4b7 100644 --- a/rules/linux/discovery_dynamic_linker_via_od.toml +++ b/rules/linux/discovery_dynamic_linker_via_od.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,7 +117,30 @@ id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index a2e43bc8e59..ab2c7bb235d 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,6 +113,11 @@ not ?process.parent.executable == "/usr/lib/vmware/viewagent/bin/uninstall_viewa [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index af3f9c6de0c..deab74f05b3 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,6 +113,11 @@ not ?process.parent.executable in ("/usr/share/qemu/init/qemu-kvm-init", "/etc/s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [[rule.threat.technique]] id = "T1518" name = "Software Discovery" diff --git a/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml b/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml index 401470b341b..2206fa79cac 100644 --- a/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml +++ b/rules/linux/discovery_kernel_instrumentation_discovery_via_kprobes_and_tracefs.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,6 +92,11 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index e78a5b7070c..d456bfc7ff6 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -126,11 +126,15 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/discovery_kernel_seeking.toml b/rules/linux/discovery_kernel_seeking.toml index f7159bd2840..d6403ec34ff 100644 --- a/rules/linux/discovery_kernel_seeking.toml +++ b/rules/linux/discovery_kernel_seeking.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,3 +134,16 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/discovery_kernel_unpacking.toml b/rules/linux/discovery_kernel_unpacking.toml index 5fd3d44ce52..d41f42360fe 100644 --- a/rules/linux/discovery_kernel_unpacking.toml +++ b/rules/linux/discovery_kernel_unpacking.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,6 +128,11 @@ id = "T1014" name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/discovery_kubeconfig_file_discovery.toml b/rules/linux/discovery_kubeconfig_file_discovery.toml index 499b8b47ad0..48e5d0fee93 100644 --- a/rules/linux/discovery_kubeconfig_file_discovery.toml +++ b/rules/linux/discovery_kubeconfig_file_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,6 +141,11 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" @@ -150,3 +155,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/discovery_kubectl_permission_discovery.toml b/rules/linux/discovery_kubectl_permission_discovery.toml index 51b3731597f..de88fa301ea 100644 --- a/rules/linux/discovery_kubectl_permission_discovery.toml +++ b/rules/linux/discovery_kubectl_permission_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_ maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,11 @@ process.name == "kubectl" and process.args == "auth" and process.args == "can-i" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 13cafc9195f..bd67464f5af 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,14 +128,18 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index 0e020284684..309a3429afc 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,14 +128,26 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1498" +name = "Network Denial of Service" +reference = "https://attack.mitre.org/techniques/T1498/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml b/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml index 221cc4ff072..2ef9d22056f 100644 --- a/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml +++ b/rules/linux/discovery_manual_mount_discovery_via_exports_or_fstab.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,6 +116,11 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1135" +name = "Network Share Discovery" +reference = "https://attack.mitre.org/techniques/T1135/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_pam_version_discovery.toml b/rules/linux/discovery_pam_version_discovery.toml index fd9295a70a0..c714e5ca09f 100644 --- a/rules/linux/discovery_pam_version_discovery.toml +++ b/rules/linux/discovery_pam_version_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,6 +127,11 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_ping_sweep_detected.toml b/rules/linux/discovery_ping_sweep_detected.toml index 1cffefe920a..614d53eda9b 100644 --- a/rules/linux/discovery_ping_sweep_detected.toml +++ b/rules/linux/discovery_ping_sweep_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/04" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" @@ -119,7 +124,6 @@ reference = "https://attack.mitre.org/techniques/T1046/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.threshold] field = ["host.id", "process.parent.entity_id", "process.executable"] value = 1 diff --git a/rules/linux/discovery_polkit_version_discovery.toml b/rules/linux/discovery_polkit_version_discovery.toml index 2420b1dc14c..12be701fa44 100644 --- a/rules/linux/discovery_polkit_version_discovery.toml +++ b/rules/linux/discovery_polkit_version_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,6 +115,11 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_private_key_password_searching_activity.toml b/rules/linux/discovery_private_key_password_searching_activity.toml index 413d337fc5a..b5aaf68561b 100644 --- a/rules/linux/discovery_private_key_password_searching_activity.toml +++ b/rules/linux/discovery_private_key_password_searching_activity.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ process.command_line like ("*/home/*", "*/etc/ssh*", "*/root/*", "/") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -128,6 +133,11 @@ id = "T1552.001" name = "Credentials In Files" reference = "https://attack.mitre.org/techniques/T1552/001/" +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/discovery_process_capabilities.toml b/rules/linux/discovery_process_capabilities.toml index 41b4c8bda26..17213c9ac70 100644 --- a/rules/linux/discovery_process_capabilities.toml +++ b/rules/linux/discovery_process_capabilities.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,6 +105,11 @@ id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_security_file_access_via_common_utility.toml b/rules/linux/discovery_security_file_access_via_common_utility.toml index c80d995820a..8651c5b6ca2 100644 --- a/rules/linux/discovery_security_file_access_via_common_utility.toml +++ b/rules/linux/discovery_security_file_access_via_common_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,7 +125,30 @@ process.args like ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml b/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml index 6f3aab1b3ca..a7db2fe6646 100644 --- a/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml +++ b/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -150,6 +150,11 @@ from logs-endpoint.events.network-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index 9c5015f5db1..4dc21585e5e 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,14 +106,41 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.001" +name = "Local Groups" +reference = "https://attack.mitre.org/techniques/T1069/001/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/discovery_suspicious_memory_grep_activity.toml b/rules/linux/discovery_suspicious_memory_grep_activity.toml index 56148d7dbb8..7830ed690af 100644 --- a/rules/linux/discovery_suspicious_memory_grep_activity.toml +++ b/rules/linux/discovery_suspicious_memory_grep_activity.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/05" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,6 +90,11 @@ id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml b/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml index e78382373b9..4bf51659a5f 100644 --- a/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml +++ b/rules/linux/discovery_suspicious_network_tool_launched_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -146,3 +146,16 @@ reference = "https://attack.mitre.org/techniques/T1595/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1040" +name = "Network Sniffing" +reference = "https://attack.mitre.org/techniques/T1040/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/discovery_suspicious_which_command_execution.toml b/rules/linux/discovery_suspicious_which_command_execution.toml index 732545b5d3b..70658812d74 100644 --- a/rules/linux/discovery_suspicious_which_command_execution.toml +++ b/rules/linux/discovery_suspicious_which_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,14 +84,23 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index e855e9a3297..bd4ae498b4b 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,6 +109,26 @@ id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.001" +name = "Local Groups" +reference = "https://attack.mitre.org/techniques/T1069/001/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1087/001/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index db90a1ad7af..4fc88b14ba4 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,7 +142,35 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/discovery_yum_dnf_plugin_detection.toml b/rules/linux/discovery_yum_dnf_plugin_detection.toml index 2d0397313ad..1672b6a16b4 100644 --- a/rules/linux/discovery_yum_dnf_plugin_detection.toml +++ b/rules/linux/discovery_yum_dnf_plugin_detection.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,6 +117,16 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 6310d47ea9b..a6c74f46cc4 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,6 +153,23 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "file.name"] diff --git a/rules/linux/execution_container_management_binary_launched_inside_container.toml b/rules/linux/execution_container_management_binary_launched_inside_container.toml index f32d2b56652..c2cb790e00e 100644 --- a/rules/linux/execution_container_management_binary_launched_inside_container.toml +++ b/rules/linux/execution_container_management_binary_launched_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,16 @@ reference = "https://attack.mitre.org/techniques/T1609/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml b/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml index ecf13768813..b467de4246f 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,6 +123,16 @@ sequence by host.id with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" diff --git a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml index e3029462837..b2d2d1ad475 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,6 +134,16 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" diff --git a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml index 9a89825b302..02db558cf6d 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,14 +132,23 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml index 21393246708..9f190ca97d1 100644 --- a/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml +++ b/rules/linux/execution_cupsd_foomatic_rip_suspicious_child_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/27" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -148,14 +148,80 @@ process.parent.name in ("foomatic-rip", "cupsd") and process.command_line like ( [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml b/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml index 4f987d0a01c..d0e7ede71e6 100644 --- a/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml +++ b/rules/linux/execution_egress_connection_from_entrypoint_in_container.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,3 +113,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_executable_stack_execution.toml b/rules/linux/execution_executable_stack_execution.toml index db15ac7e5ad..35222dec4d9 100644 --- a/rules/linux/execution_executable_stack_execution.toml +++ b/rules/linux/execution_executable_stack_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["system"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,3 +105,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1620" +name = "Reflective Code Loading" +reference = "https://attack.mitre.org/techniques/T1620/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index d2a3a87c967..b597a771bd4 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,3 +123,34 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml b/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml index 18431eba5ca..48c6e1b68b6 100644 --- a/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml +++ b/rules/linux/execution_file_made_executable_via_chmod_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,7 +123,35 @@ id = "T1222.002" name = "Linux and Mac File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/002/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 59cdf65a41e..308b4452652 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/10/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -161,3 +161,34 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[[rule.threat.technique.subtechnique]] +id = "T1048.003" +name = "Exfiltration Over Unencrypted Non-C2 Protocol" +reference = "https://attack.mitre.org/techniques/T1048/003/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/linux/execution_kubectl_apply_pod_from_url.toml b/rules/linux/execution_kubectl_apply_pod_from_url.toml index 7358ddd13d1..93e9de69f4d 100644 --- a/rules/linux/execution_kubectl_apply_pod_from_url.toml +++ b/rules/linux/execution_kubectl_apply_pod_from_url.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_m maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,16 +116,16 @@ not process.args like~ ("*download.elastic.co*", "*github.com/kubernetes-sigs/*" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1610" -name = "Deploy Container" -reference = "https://attack.mitre.org/techniques/T1610/" - [[rule.threat.technique]] id = "T1609" name = "Container Administration Command" reference = "https://attack.mitre.org/techniques/T1609/" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml b/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml index 15462abd9f1..f7e21e35d61 100644 --- a/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml +++ b/rules/linux/execution_kubernetes_direct_api_request_via_curl_or_wget.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_m maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -144,6 +144,11 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique]] id = "T1613" name = "Container and Resource Discovery" @@ -153,3 +158,21 @@ reference = "https://attack.mitre.org/techniques/T1613/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.007" +name = "Container API" +reference = "https://attack.mitre.org/techniques/T1552/007/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index 7e6e8f09bbf..48f29f64038 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,3 +128,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml index b094488daa9..5e3fa776b44 100644 --- a/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml +++ b/rules/linux/execution_netcon_from_rwx_mem_region_binary.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,6 +111,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -128,3 +133,16 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1620" +name = "Reflective Code Loading" +reference = "https://attack.mitre.org/techniques/T1620/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index 42342789d2f..57187ffedd9 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,6 +135,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index fdf0986337e..01e048ff1de 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -130,6 +130,11 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index c3d550b7b8b..267e8cb0ef4 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/22" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,3 +133,84 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.002" +name = "Password Cracking" +reference = "https://attack.mitre.org/techniques/T1110/002/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.002" +name = "Vulnerability Scanning" +reference = "https://attack.mitre.org/techniques/T1595/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.003" +name = "Wordlist Scanning" +reference = "https://attack.mitre.org/techniques/T1595/003/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/linux/execution_potentially_overly_permissive_container_creation.toml b/rules/linux/execution_potentially_overly_permissive_container_creation.toml index 69ded33a6ec..dd1099bb85a 100644 --- a/rules/linux/execution_potentially_overly_permissive_container_creation.toml +++ b/rules/linux/execution_potentially_overly_permissive_container_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,6 +122,11 @@ id = "T1609" name = "Container Administration Command" reference = "https://attack.mitre.org/techniques/T1609/" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -139,7 +144,6 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/execution_process_backgrounded_by_unusual_parent.toml b/rules/linux/execution_process_backgrounded_by_unusual_parent.toml index b89fc96dc27..dcfef99c872 100644 --- a/rules/linux/execution_process_backgrounded_by_unusual_parent.toml +++ b/rules/linux/execution_process_backgrounded_by_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,11 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -132,6 +137,16 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.009" +name = "Break Process Trees" +reference = "https://attack.mitre.org/techniques/T1036/009/" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" @@ -141,7 +156,6 @@ reference = "https://attack.mitre.org/techniques/T1564/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name"] diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 9188badd565..6ea1de11b32 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,14 +88,36 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.008" +name = "Masquerade File Type" +reference = "https://attack.mitre.org/techniques/T1036/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 1f0801f42f1..bec9a7025f8 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,3 +128,16 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index c8eff177979..b6bdfa7b727 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,6 +117,11 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique.subtechnique]] id = "T1059.006" name = "Python" diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index 1cecb668514..177c05598ab 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/20" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,3 +124,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index a1fd996d20e..82295dbf93a 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -194,19 +194,31 @@ process where host.os.type == "linux" and event.type == "start" and process.exec [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1202" +name = "Indirect Command Execution" +reference = "https://attack.mitre.org/techniques/T1202/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_shell_openssl_client_or_server.toml b/rules/linux/execution_shell_openssl_client_or_server.toml index b57a9c5ebbe..5d19d5276d6 100644 --- a/rules/linux/execution_shell_openssl_client_or_server.toml +++ b/rules/linux/execution_shell_openssl_client_or_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -136,6 +136,16 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1573" +name = "Encrypted Channel" +reference = "https://attack.mitre.org/techniques/T1573/" + +[[rule.threat.technique.subtechnique]] +id = "T1573.002" +name = "Asymmetric Cryptography" +reference = "https://attack.mitre.org/techniques/T1573/002/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index 71f6934441f..665394590e0 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/20" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,6 +129,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml index b1d6944dd41..86d6082bcbc 100644 --- a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml +++ b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,6 +131,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index 26b891475de..460eaa351cf 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,6 +131,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -144,6 +149,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml index 8e75039764d..4d45d18d00c 100644 --- a/rules/linux/execution_shell_via_meterpreter_linux.toml +++ b/rules/linux/execution_shell_via_meterpreter_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -144,3 +144,31 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1087/001/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index ed5b8943ef7..5b6fc4511da 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -139,6 +139,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index c8be644cd99..600e8165d13 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,6 +129,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index 35f575a8b8e..4f6e3d3579b 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/04" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -137,6 +137,16 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -150,6 +160,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index 19461e6ab6b..b40f0b00185 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,6 +132,11 @@ id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.015" +name = "Compression" +reference = "https://attack.mitre.org/techniques/T1027/015/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index 880ff976e63..6bdc18fb314 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,6 +135,43 @@ id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name"] diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index 30a5f83b43b..a1e246c63e2 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/08" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,3 +120,34 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1496" +name = "Resource Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml index a35ae4ec714..6438bae79a2 100644 --- a/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml +++ b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/01" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,6 +108,11 @@ id = "T1609" name = "Container Administration Command" reference = "https://attack.mitre.org/techniques/T1609/" +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -116,6 +121,26 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" @@ -129,6 +154,16 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" @@ -144,6 +179,46 @@ id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.004" +name = "SSH Authorized Keys" +reference = "https://attack.mitre.org/techniques/T1098/004/" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.013" +name = "XDG Autostart Entries" +reference = "https://attack.mitre.org/techniques/T1547/013/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/execution_system_binary_file_permission_change.toml b/rules/linux/execution_system_binary_file_permission_change.toml index c9804ea2744..f288223ac7d 100644 --- a/rules/linux/execution_system_binary_file_permission_change.toml +++ b/rules/linux/execution_system_binary_file_permission_change.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,3 +125,39 @@ reference = "https://attack.mitre.org/techniques/T1059/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 52cc47e2b35..f71d3a5316e 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/11" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,3 +129,21 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml index 6c81fd12cc5..4db0ac23cdf 100644 --- a/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml +++ b/rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/13" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,11 +109,28 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1620" +name = "Reflective Code Loading" +reference = "https://attack.mitre.org/techniques/T1620/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["process.name"] diff --git a/rules/linux/execution_unusual_kthreadd_execution.toml b/rules/linux/execution_unusual_kthreadd_execution.toml index fb453b1a848..cfcd4c91f4b 100644 --- a/rules/linux/execution_unusual_kthreadd_execution.toml +++ b/rules/linux/execution_unusual_kthreadd_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,21 +117,43 @@ process.command_line:( [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.009" +name = "Break Process Trees" +reference = "https://attack.mitre.org/techniques/T1036/009/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "host.id"] diff --git a/rules/linux/execution_unusual_path_invocation_from_command_line.toml b/rules/linux/execution_unusual_path_invocation_from_command_line.toml index 7c4599b99b1..254cf9a3902 100644 --- a/rules/linux/execution_unusual_path_invocation_from_command_line.toml +++ b/rules/linux/execution_unusual_path_invocation_from_command_line.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,11 +135,20 @@ id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.007" +name = "Path Interception by PATH Environment Variable" +reference = "https://attack.mitre.org/techniques/T1574/007/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.name"] diff --git a/rules/linux/execution_unusual_pkexec_execution.toml b/rules/linux/execution_unusual_pkexec_execution.toml index 0b613bb5b67..fb8c1cd5886 100644 --- a/rules/linux/execution_unusual_pkexec_execution.toml +++ b/rules/linux/execution_unusual_pkexec_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,6 +129,11 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -147,6 +152,23 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.command_line"] diff --git a/rules/linux/exfiltration_potential_curl_data_exfiltration.toml b/rules/linux/exfiltration_potential_curl_data_exfiltration.toml index d26ede83d7b..af05ed7556d 100644 --- a/rules/linux/exfiltration_potential_curl_data_exfiltration.toml +++ b/rules/linux/exfiltration_potential_curl_data_exfiltration.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/13" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,12 +113,22 @@ process.name == "curl" and ?process.parent.executable != null and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" - - [[rule.threat.technique]] - name = "Exfiltration Over Alternative Protocol" - id = "T1048" - reference = "https://attack.mitre.org/techniques/T1048/" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[[rule.threat.technique.subtechnique]] +id = "T1048.001" +name = "Exfiltration Over Symmetric Encrypted Non-C2 Protocol" +reference = "https://attack.mitre.org/techniques/T1048/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1048.003" +name = "Exfiltration Over Unencrypted Non-C2 Protocol" +reference = "https://attack.mitre.org/techniques/T1048/003/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml index 89aa348f4dd..091686f3033 100644 --- a/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml +++ b/rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,6 +124,11 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1030" +name = "Data Transfer Size Limits" +reference = "https://attack.mitre.org/techniques/T1030/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules/linux/exfiltration_potential_database_dumping.toml b/rules/linux/exfiltration_potential_database_dumping.toml index 6f00692824d..579db8edbdb 100644 --- a/rules/linux/exfiltration_potential_database_dumping.toml +++ b/rules/linux/exfiltration_potential_database_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/13" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,12 +104,30 @@ process.name in ("pg_dump", "pg_dumpall", "mysqldump", "mariadb-dump", "mongodum [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" - [[rule.threat.technique]] - name = "Exfiltration Over Alternative Protocol" - id = "T1048" - reference = "https://attack.mitre.org/techniques/T1048/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1119" +name = "Automated Collection" +reference = "https://attack.mitre.org/techniques/T1119/" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/exfiltration_potential_wget_data_exfiltration.toml b/rules/linux/exfiltration_potential_wget_data_exfiltration.toml index e0f16b19169..30d03cd7881 100644 --- a/rules/linux/exfiltration_potential_wget_data_exfiltration.toml +++ b/rules/linux/exfiltration_potential_wget_data_exfiltration.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/07" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"] maturity = "production" -updated_date = "2026/03/13" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,12 +122,25 @@ process.name == "wget" and ?process.parent.executable != null and ( [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" - [[rule.threat.technique]] - name = "Exfiltration Over Alternative Protocol" - id = "T1048" - reference = "https://attack.mitre.org/techniques/T1048/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml index f6d821c4711..51dce3af626 100644 --- a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml +++ b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -171,6 +171,11 @@ from logs-endpoint.events.process-* metadata _id, _index, _version [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" @@ -179,6 +184,16 @@ reference = "https://attack.mitre.org/tactics/TA0010/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/impact_data_encrypted_via_openssl.toml b/rules/linux/impact_data_encrypted_via_openssl.toml index d5ae1fbcb95..f7bf7c915b7 100644 --- a/rules/linux/impact_data_encrypted_via_openssl.toml +++ b/rules/linux/impact_data_encrypted_via_openssl.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,3 +115,16 @@ reference = "https://attack.mitre.org/techniques/T1486/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/impact_memory_swap_modification.toml b/rules/linux/impact_memory_swap_modification.toml index 2336a398314..c1231cd493c 100644 --- a/rules/linux/impact_memory_swap_modification.toml +++ b/rules/linux/impact_memory_swap_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,6 +121,11 @@ id = "T1496" name = "Resource Hijacking" reference = "https://attack.mitre.org/techniques/T1496/" +[[rule.threat.technique.subtechnique]] +id = "T1496.001" +name = "Compute Hijacking" +reference = "https://attack.mitre.org/techniques/T1496/001/" + [rule.threat.tactic] id = "TA0040" name = "Impact" diff --git a/rules/linux/impact_potential_bruteforce_malware_infection.toml b/rules/linux/impact_potential_bruteforce_malware_infection.toml index 93c5361d32a..5ce3b6d80a5 100644 --- a/rules/linux/impact_potential_bruteforce_malware_infection.toml +++ b/rules/linux/impact_potential_bruteforce_malware_infection.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -205,3 +205,16 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index 85ce3461abd..a1f4454d1ea 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/27" integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,6 +107,23 @@ id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.threshold] field = ["host.id", "process.executable", "user.name"] value = 15 diff --git a/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml b/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml index 45f5c1a911f..89e8ba1f7b8 100644 --- a/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml +++ b/rules/linux/initial_access_apache_struts_cve_2023_50164_exploitation_to_webshell.toml @@ -2,7 +2,7 @@ creation_date = "2025/11/19" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/11/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,31 +114,44 @@ sequence by agent.id with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/initial_access_first_time_public_key_authentication.toml b/rules/linux/initial_access_first_time_public_key_authentication.toml index 1e74cf2cb47..4e1a8689f7f 100644 --- a/rules/linux/initial_access_first_time_public_key_authentication.toml +++ b/rules/linux/initial_access_first_time_public_key_authentication.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,16 +99,38 @@ event.category:authentication and host.os.type:linux and event.action:ssh_login [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["system.auth.ssh.signature"] diff --git a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml index d1e0215d442..f571a929dd7 100644 --- a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml +++ b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,16 +92,33 @@ event.category:authentication and host.os.type:linux and event.action:ssh_login [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["related.ip"] diff --git a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml index ffc5417fe60..098cdd42503 100644 --- a/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml +++ b/rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,16 +76,38 @@ event.category:authentication and host.os.type:linux and event.action:ssh_login [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.004" +name = "SSH" +reference = "https://attack.mitre.org/techniques/T1021/004/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [rule.new_terms] field = "new_terms_fields" value = ["related.user"] diff --git a/rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml b/rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml index 3ebcdec8cc2..6d17eb3c5b4 100644 --- a/rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml +++ b/rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/26" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,26 +93,39 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml b/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml index 159ac1545b7..b0118148c35 100644 --- a/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml +++ b/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/24" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,26 +101,39 @@ process where host.os.type == "linux" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/lateral_movement_kubeconfig_file_activity.toml b/rules/linux/lateral_movement_kubeconfig_file_activity.toml index 742506ac792..14e0cd4c88e 100644 --- a/rules/linux/lateral_movement_kubeconfig_file_activity.toml +++ b/rules/linux/lateral_movement_kubeconfig_file_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -151,12 +151,30 @@ reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml b/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml index c4ec5a4e372..2cf39df00da 100644 --- a/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml +++ b/rules/linux/lateral_movement_remote_file_creation_world_writeable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,6 +132,18 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable", "host.id"] diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml index d7738588cf4..f2ca0a1065a 100644 --- a/rules/linux/lateral_movement_ssh_it_worm_download.toml +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/21" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,3 +135,16 @@ reference = "https://attack.mitre.org/techniques/T1563/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 40cf153f80e..691a01df08b 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,3 +133,16 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/lateral_movement_unusual_remote_file_creation.toml b/rules/linux/lateral_movement_unusual_remote_file_creation.toml index 828592b0bde..12d810eed6d 100644 --- a/rules/linux/lateral_movement_unusual_remote_file_creation.toml +++ b/rules/linux/lateral_movement_unusual_remote_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -140,6 +140,18 @@ id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable", "host.id"] diff --git a/rules/linux/persistence_apt_package_manager_execution.toml b/rules/linux/persistence_apt_package_manager_execution.toml index 121bf350707..4d1af08566d 100644 --- a/rules/linux/persistence_apt_package_manager_execution.toml +++ b/rules/linux/persistence_apt_package_manager_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -174,6 +174,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/persistence_apt_package_manager_file_creation.toml b/rules/linux/persistence_apt_package_manager_file_creation.toml index 6fa37d13b3e..b7166410e58 100644 --- a/rules/linux/persistence_apt_package_manager_file_creation.toml +++ b/rules/linux/persistence_apt_package_manager_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -175,3 +175,21 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_apt_package_manager_netcon.toml b/rules/linux/persistence_apt_package_manager_netcon.toml index 7e83bb830d6..b0287a10224 100644 --- a/rules/linux/persistence_apt_package_manager_netcon.toml +++ b/rules/linux/persistence_apt_package_manager_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -156,3 +156,21 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_bpf_program_or_map_load.toml b/rules/linux/persistence_bpf_program_or_map_load.toml index af4757fbc16..4255fc6e065 100644 --- a/rules/linux/persistence_bpf_program_or_map_load.toml +++ b/rules/linux/persistence_bpf_program_or_map_load.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,3 +118,21 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 554ad767f59..a93f65fa8e3 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -196,6 +196,11 @@ id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 523302ed1a5..7ecaaef7e15 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -187,6 +187,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Host Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_dbus_service_creation.toml b/rules/linux/persistence_dbus_service_creation.toml index 386571da585..379cc6b7a2a 100644 --- a/rules/linux/persistence_dbus_service_creation.toml +++ b/rules/linux/persistence_dbus_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,6 +138,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -151,6 +156,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml b/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml index 6d9c71de08e..9d97b4d31db 100644 --- a/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml +++ b/rules/linux/persistence_dbus_unsual_daemon_parent_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -158,6 +158,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml index 10ca2105f97..ded6346ead2 100644 --- a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -157,7 +157,35 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml b/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml index 595ab2d545a..c82730e95f3 100644 --- a/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml +++ b/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,6 +141,23 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/persistence_dpkg_unusual_execution.toml b/rules/linux/persistence_dpkg_unusual_execution.toml index 73a6322b954..3ec87f425bb 100644 --- a/rules/linux/persistence_dpkg_unusual_execution.toml +++ b/rules/linux/persistence_dpkg_unusual_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,6 +102,11 @@ process.group_leader.name != null and not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" @@ -112,11 +117,6 @@ id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -141,6 +141,24 @@ name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" [rule.threat.tactic] -name = "Initial Access" id = "TA0001" +name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_dracut_module_creation.toml b/rules/linux/persistence_dracut_module_creation.toml index 9427236d5fb..0df18519ede 100644 --- a/rules/linux/persistence_dracut_module_creation.toml +++ b/rules/linux/persistence_dracut_module_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -164,6 +164,11 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index 2dcef6e4fb8..428803c32e8 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/12" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/17" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -192,3 +192,21 @@ reference = "https://attack.mitre.org/techniques/T1574/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_git_hook_execution.toml b/rules/linux/persistence_git_hook_execution.toml index 55473220b03..78539f29fe0 100644 --- a/rules/linux/persistence_git_hook_execution.toml +++ b/rules/linux/persistence_git_hook_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/15" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,6 +114,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/linux/persistence_git_hook_file_creation.toml b/rules/linux/persistence_git_hook_file_creation.toml index c5b9d78a19a..b7455b0cb8e 100644 --- a/rules/linux/persistence_git_hook_file_creation.toml +++ b/rules/linux/persistence_git_hook_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,6 +129,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/linux/persistence_git_hook_netcon.toml b/rules/linux/persistence_git_hook_netcon.toml index 3c79ca6de78..358537f729e 100644 --- a/rules/linux/persistence_git_hook_netcon.toml +++ b/rules/linux/persistence_git_hook_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,6 +123,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -158,3 +163,16 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_git_hook_process_execution.toml b/rules/linux/persistence_git_hook_process_execution.toml index 2203dc37a30..3cb9ae2082d 100644 --- a/rules/linux/persistence_git_hook_process_execution.toml +++ b/rules/linux/persistence_git_hook_process_execution.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/26" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,6 +132,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/linux/persistence_grub_configuration_creation.toml b/rules/linux/persistence_grub_configuration_creation.toml index d3c5b78af10..f874a2566c6 100644 --- a/rules/linux/persistence_grub_configuration_creation.toml +++ b/rules/linux/persistence_grub_configuration_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -143,3 +143,16 @@ reference = "https://attack.mitre.org/techniques/T1574/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_grub_makeconfig.toml b/rules/linux/persistence_grub_makeconfig.toml index dc757627521..89ea6d20748 100644 --- a/rules/linux/persistence_grub_makeconfig.toml +++ b/rules/linux/persistence_grub_makeconfig.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,3 +133,16 @@ reference = "https://attack.mitre.org/techniques/T1574/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index b4d7276cf08..22fd4882262 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -192,7 +192,30 @@ id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 58550c3b588..b36a4b766fa 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/06" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -243,6 +243,11 @@ id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.013" +name = "XDG Autostart Entries" +reference = "https://attack.mitre.org/techniques/T1547/013/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_kernel_driver_load.toml b/rules/linux/persistence_kernel_driver_load.toml index 0f7b646be9e..88fc5919f2c 100644 --- a/rules/linux/persistence_kernel_driver_load.toml +++ b/rules/linux/persistence_kernel_driver_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,31 +96,49 @@ Kernel modules extend the functionality of the Linux kernel, allowing dynamic lo [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.006" name = "Kernel Modules and Extensions" reference = "https://attack.mitre.org/techniques/T1547/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1014" name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_kernel_driver_load_by_non_root.toml b/rules/linux/persistence_kernel_driver_load_by_non_root.toml index 9f4a8303937..53ddd96471a 100644 --- a/rules/linux/persistence_kernel_driver_load_by_non_root.toml +++ b/rules/linux/persistence_kernel_driver_load_by_non_root.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/10" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -128,3 +128,21 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_kernel_module_load_from_unusual_location.toml b/rules/linux/persistence_kernel_module_load_from_unusual_location.toml index 6a383383172..ad22b980a2a 100644 --- a/rules/linux/persistence_kernel_module_load_from_unusual_location.toml +++ b/rules/linux/persistence_kernel_module_load_from_unusual_location.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/20" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/13" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -145,3 +145,21 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_kernel_object_file_creation.toml b/rules/linux/persistence_kernel_object_file_creation.toml index e5b8aede59e..23f7580610a 100644 --- a/rules/linux/persistence_kernel_object_file_creation.toml +++ b/rules/linux/persistence_kernel_object_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,6 +138,23 @@ id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.name", "file.name"] diff --git a/rules/linux/persistence_kubernetes_sensitive_file_activity.toml b/rules/linux/persistence_kubernetes_sensitive_file_activity.toml index 59a33614ada..a5c2e7e965b 100644 --- a/rules/linux/persistence_kubernetes_sensitive_file_activity.toml +++ b/rules/linux/persistence_kubernetes_sensitive_file_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,6 +111,16 @@ file where host.os.type == "linux" and event.type != "deletion" and file.path li [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.007" +name = "Container Orchestration Job" +reference = "https://attack.mitre.org/techniques/T1053/007/" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -121,17 +131,38 @@ id = "T1543.005" name = "Container Service" reference = "https://attack.mitre.org/techniques/T1543/005/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique.subtechnique]] -id = "T1053.007" -name = "Container Orchestration Job" -reference = "https://attack.mitre.org/techniques/T1053/007/" +id = "T1543.005" +name = "Container Service" +reference = "https://attack.mitre.org/techniques/T1543/005/" [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_kworker_file_creation.toml b/rules/linux/persistence_kworker_file_creation.toml index 428a388aa15..3d1b0170edc 100644 --- a/rules/linux/persistence_kworker_file_creation.toml +++ b/rules/linux/persistence_kworker_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -199,6 +199,16 @@ id = "T1014" name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index fde1a2aa627..b1e668e6188 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/07" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -146,6 +146,11 @@ process.args in ("-o", "--non-unique") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" @@ -160,3 +165,16 @@ reference = "https://attack.mitre.org/techniques/T1136/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index 1a5ec523679..fc60a928539 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["system"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -119,6 +119,16 @@ iam where host.os.type == "linux" and event.type == "group" and event.type == "c [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index e3267bc31b1..31e0f60e16f 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -206,3 +206,16 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index 10ff2785c87..f171e2760a4 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/13" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -143,6 +143,16 @@ process.executable != null and process.args in ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" @@ -157,3 +167,21 @@ reference = "https://attack.mitre.org/techniques/T1136/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_manual_dracut_execution.toml b/rules/linux/persistence_manual_dracut_execution.toml index 0afee6bda3f..a12b34a2ed0 100644 --- a/rules/linux/persistence_manual_dracut_execution.toml +++ b/rules/linux/persistence_manual_dracut_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -143,3 +143,16 @@ reference = "https://attack.mitre.org/techniques/T1059/004/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 32d08cc31f9..dc73a9eff56 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -183,3 +183,16 @@ reference = "https://attack.mitre.org/techniques/T1037/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index 4e5c181f2dd..2d176a1d6ac 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -209,3 +209,44 @@ reference = "https://attack.mitre.org/techniques/T1037/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_network_manager_dispatcher_persistence.toml b/rules/linux/persistence_network_manager_dispatcher_persistence.toml index 089f1d5d144..55a144cda53 100644 --- a/rules/linux/persistence_network_manager_dispatcher_persistence.toml +++ b/rules/linux/persistence_network_manager_dispatcher_persistence.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -130,6 +130,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" diff --git a/rules/linux/persistence_openssl_passwd_hash_generation.toml b/rules/linux/persistence_openssl_passwd_hash_generation.toml index dc7660861c7..df808750868 100644 --- a/rules/linux/persistence_openssl_passwd_hash_generation.toml +++ b/rules/linux/persistence_openssl_passwd_hash_generation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,6 +111,11 @@ not process.args in ("-help", "--help", "-h") [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" diff --git a/rules/linux/persistence_pluggable_authentication_module_creation.toml b/rules/linux/persistence_pluggable_authentication_module_creation.toml index a5bebae77f2..8de1e62712a 100644 --- a/rules/linux/persistence_pluggable_authentication_module_creation.toml +++ b/rules/linux/persistence_pluggable_authentication_module_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,6 +123,16 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -136,6 +146,11 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml b/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml index 2505889ddd7..2323b6fef5d 100644 --- a/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml +++ b/rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,6 +105,16 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -118,6 +128,11 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml b/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml index 57331335bcc..381f170f42b 100644 --- a/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml +++ b/rules/linux/persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/29" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,16 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -127,3 +137,16 @@ reference = "https://attack.mitre.org/techniques/T1556/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_pluggable_authentication_module_source_download.toml b/rules/linux/persistence_pluggable_authentication_module_source_download.toml index 458326e408c..aad0bc8bc5b 100644 --- a/rules/linux/persistence_pluggable_authentication_module_source_download.toml +++ b/rules/linux/persistence_pluggable_authentication_module_source_download.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,7 +102,25 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_polkit_policy_creation.toml b/rules/linux/persistence_polkit_policy_creation.toml index 0735fde6ca8..a80b58af304 100644 --- a/rules/linux/persistence_polkit_policy_creation.toml +++ b/rules/linux/persistence_polkit_policy_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,6 +114,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -131,3 +136,16 @@ reference = "https://attack.mitre.org/techniques/T1556/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml index ada832ab5a8..f8a376964ac 100644 --- a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml +++ b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -145,6 +145,16 @@ id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.017" +name = "Udev Rules" +reference = "https://attack.mitre.org/techniques/T1546/017/" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" @@ -159,3 +169,21 @@ reference = "https://attack.mitre.org/techniques/T1547/013/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_process_capability_set_via_setcap.toml b/rules/linux/persistence_process_capability_set_via_setcap.toml index 412be59834c..1f659ab84ca 100644 --- a/rules/linux/persistence_process_capability_set_via_setcap.toml +++ b/rules/linux/persistence_process_capability_set_via_setcap.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,7 +118,25 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_pth_file_creation.toml b/rules/linux/persistence_pth_file_creation.toml index 8492cf01914..21e54dfa5cb 100644 --- a/rules/linux/persistence_pth_file_creation.toml +++ b/rules/linux/persistence_pth_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -162,6 +162,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -174,3 +179,21 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.018" +name = "Python Startup Hooks" +reference = "https://attack.mitre.org/techniques/T1546/018/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_rc_local_error_via_syslog.toml b/rules/linux/persistence_rc_local_error_via_syslog.toml index 22cdd76e5c8..a40049fd64c 100644 --- a/rules/linux/persistence_rc_local_error_via_syslog.toml +++ b/rules/linux/persistence_rc_local_error_via_syslog.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/21" integration = ["system"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -112,3 +112,21 @@ reference = "https://attack.mitre.org/techniques/T1037/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_rc_local_service_already_running.toml b/rules/linux/persistence_rc_local_service_already_running.toml index c1a07ece724..3b6c833d850 100644 --- a/rules/linux/persistence_rc_local_service_already_running.toml +++ b/rules/linux/persistence_rc_local_service_already_running.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,3 +119,21 @@ reference = "https://attack.mitre.org/techniques/T1037/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index 1ae06027c94..a8625182815 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -183,3 +183,21 @@ reference = "https://attack.mitre.org/techniques/T1037/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index 7dccbc4c3f0..253e96e34ee 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/05" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -182,3 +182,21 @@ reference = "https://attack.mitre.org/techniques/T1548/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_shadow_file_modification.toml b/rules/linux/persistence_shadow_file_modification.toml index 61af8e00f9c..e488d7b6bb4 100644 --- a/rules/linux/persistence_shadow_file_modification.toml +++ b/rules/linux/persistence_shadow_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -116,6 +116,16 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[[rule.threat.technique.subtechnique]] +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index da1bfc93904..372e352f546 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -205,6 +205,41 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["file.name", "process.name"] diff --git a/rules/linux/persistence_shell_configuration_modification.toml b/rules/linux/persistence_shell_configuration_modification.toml index 4fe83655166..36feba16bed 100644 --- a/rules/linux/persistence_shell_configuration_modification.toml +++ b/rules/linux/persistence_shell_configuration_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -152,3 +152,21 @@ reference = "https://attack.mitre.org/techniques/T1546/004/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_simple_web_server_connection_accepted.toml b/rules/linux/persistence_simple_web_server_connection_accepted.toml index 11e4f177db0..9594bb68dde 100644 --- a/rules/linux/persistence_simple_web_server_connection_accepted.toml +++ b/rules/linux/persistence_simple_web_server_connection_accepted.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,48 +106,58 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" - [[rule.threat.technique]] - id = "T1505" - name = "Server Software Component" - reference = "https://attack.mitre.org/techniques/T1505/" +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" - [[rule.threat.technique.subtechnique]] - id = "T1505.003" - name = "Web Shell" - reference = "https://attack.mitre.org/techniques/T1505/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - id = "T1059" - name = "Command and Scripting Interpreter" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_simple_web_server_creation.toml b/rules/linux/persistence_simple_web_server_creation.toml index a36dadf7d26..2f6fa07ac43 100644 --- a/rules/linux/persistence_simple_web_server_creation.toml +++ b/rules/linux/persistence_simple_web_server_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/17" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,6 +141,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -154,6 +159,11 @@ id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/persistence_site_and_user_customize_file_creation.toml b/rules/linux/persistence_site_and_user_customize_file_creation.toml index d0ae0b7eb1f..3bbc6c7402b 100644 --- a/rules/linux/persistence_site_and_user_customize_file_creation.toml +++ b/rules/linux/persistence_site_and_user_customize_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,6 +153,11 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -165,3 +170,21 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.018" +name = "Python Startup Hooks" +reference = "https://attack.mitre.org/techniques/T1546/018/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_ssh_netcon.toml b/rules/linux/persistence_ssh_netcon.toml index bde9a2bb722..2edd7f1957b 100644 --- a/rules/linux/persistence_ssh_netcon.toml +++ b/rules/linux/persistence_ssh_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -146,6 +146,11 @@ reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/linux/persistence_ssh_via_backdoored_system_user.toml b/rules/linux/persistence_ssh_via_backdoored_system_user.toml index cf09a455608..fae10f1ce11 100644 --- a/rules/linux/persistence_ssh_via_backdoored_system_user.toml +++ b/rules/linux/persistence_ssh_via_backdoored_system_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/07" integration = ["system"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,6 +101,16 @@ user.name:( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" @@ -119,11 +129,6 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" @@ -134,6 +139,28 @@ id = "T1564.002" name = "Hidden Users" reference = "https://attack.mitre.org/techniques/T1564/002/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "host.id"] diff --git a/rules/linux/persistence_suspicious_file_opened_through_editor.toml b/rules/linux/persistence_suspicious_file_opened_through_editor.toml index a3db7c8cbe3..c78e14b4caf 100644 --- a/rules/linux/persistence_suspicious_file_opened_through_editor.toml +++ b/rules/linux/persistence_suspicious_file_opened_through_editor.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/25" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,56 +96,89 @@ file.path : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" reference = "https://attack.mitre.org/techniques/T1574/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml index 793a712a67b..39876c5dc89 100644 --- a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml +++ b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,3 +142,21 @@ reference = "https://attack.mitre.org/techniques/T1563/001/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_systemd_generator_creation.toml b/rules/linux/persistence_systemd_generator_creation.toml index 1405518b4e7..c652b183d85 100644 --- a/rules/linux/persistence_systemd_generator_creation.toml +++ b/rules/linux/persistence_systemd_generator_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,6 +138,11 @@ id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -156,6 +161,11 @@ id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/persistence_systemd_netcon.toml b/rules/linux/persistence_systemd_netcon.toml index 3d67cd46113..1df61713b44 100644 --- a/rules/linux/persistence_systemd_netcon.toml +++ b/rules/linux/persistence_systemd_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -171,3 +171,16 @@ framework = "MITRE ATT&CK" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index 03c70b2ad08..ae8ceabfd9a 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/24" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -210,3 +210,21 @@ reference = "https://attack.mitre.org/techniques/T1053/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.006" +name = "Systemd Timers" +reference = "https://attack.mitre.org/techniques/T1053/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_systemd_service_started.toml b/rules/linux/persistence_systemd_service_started.toml index 4d7bc96589f..8625e7ded90 100644 --- a/rules/linux/persistence_systemd_service_started.toml +++ b/rules/linux/persistence_systemd_service_started.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -233,6 +233,23 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] diff --git a/rules/linux/persistence_systemd_shell_execution.toml b/rules/linux/persistence_systemd_shell_execution.toml index 634b59f4e98..09970325b5c 100644 --- a/rules/linux/persistence_systemd_shell_execution.toml +++ b/rules/linux/persistence_systemd_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -130,3 +130,21 @@ reference = "https://attack.mitre.org/techniques/T1543/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_tainted_kernel_module_load.toml b/rules/linux/persistence_tainted_kernel_module_load.toml index 367963adfec..46957374175 100644 --- a/rules/linux/persistence_tainted_kernel_module_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/23" integration = ["system"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,3 +120,21 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml index b1e5e98060a..da02eaa00c3 100644 --- a/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml +++ b/rules/linux/persistence_tainted_kernel_module_out_of_tree_load.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["system"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_udev_rule_creation.toml b/rules/linux/persistence_udev_rule_creation.toml index b58e6b0f925..7466666b368 100644 --- a/rules/linux/persistence_udev_rule_creation.toml +++ b/rules/linux/persistence_udev_rule_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,7 +138,30 @@ id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.017" +name = "Udev Rules" +reference = "https://attack.mitre.org/techniques/T1546/017/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.017" +name = "Udev Rules" +reference = "https://attack.mitre.org/techniques/T1546/017/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml b/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml index 6d45ba99f78..7fa0e51015b 100644 --- a/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml +++ b/rules/linux/persistence_unpack_initramfs_via_unmkinitramfs.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/16" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -112,6 +112,11 @@ id = "T1542" name = "Pre-OS Boot" reference = "https://attack.mitre.org/techniques/T1542/" +[[rule.threat.technique.subtechnique]] +id = "T1542.003" +name = "Bootkit" +reference = "https://attack.mitre.org/techniques/T1542/003/" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" @@ -148,6 +153,16 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1542" +name = "Pre-OS Boot" +reference = "https://attack.mitre.org/techniques/T1542/" + +[[rule.threat.technique.subtechnique]] +id = "T1542.003" +name = "Bootkit" +reference = "https://attack.mitre.org/techniques/T1542/003/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/persistence_unusual_exim4_child_process.toml b/rules/linux/persistence_unusual_exim4_child_process.toml index 1b804697747..f30d002710e 100644 --- a/rules/linux/persistence_unusual_exim4_child_process.toml +++ b/rules/linux/persistence_unusual_exim4_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,6 +94,31 @@ id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/persistence_unusual_pam_grantor.toml b/rules/linux/persistence_unusual_pam_grantor.toml index 962c7bb3a3f..d465614ba7f 100644 --- a/rules/linux/persistence_unusual_pam_grantor.toml +++ b/rules/linux/persistence_unusual_pam_grantor.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/06" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,6 +89,16 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -102,11 +112,15 @@ id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.003" +name = "Pluggable Authentication Modules" +reference = "https://attack.mitre.org/techniques/T1556/003/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.new_terms] field = "new_terms_fields" value = ["auditd.data.grantors"] diff --git a/rules/linux/persistence_unusual_sshd_child_process.toml b/rules/linux/persistence_unusual_sshd_child_process.toml index 9acdc41ffa3..4c250cfc6c3 100644 --- a/rules/linux/persistence_unusual_sshd_child_process.toml +++ b/rules/linux/persistence_unusual_sshd_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2024/12/16" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -77,6 +77,11 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" @@ -128,6 +133,18 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/persistence_user_credential_modification_via_echo.toml b/rules/linux/persistence_user_credential_modification_via_echo.toml index 3ffcadfcb8d..f41a2cc786e 100644 --- a/rules/linux/persistence_user_credential_modification_via_echo.toml +++ b/rules/linux/persistence_user_credential_modification_via_echo.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,3 +110,16 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_user_or_group_creation_or_modification.toml b/rules/linux/persistence_user_or_group_creation_or_modification.toml index 989aedbc3a6..7dd6db38297 100644 --- a/rules/linux/persistence_user_or_group_creation_or_modification.toml +++ b/rules/linux/persistence_user_or_group_creation_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/20" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ event.action in ("changed-password", "added-user-account", "added-group-account- [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique]] id = "T1136" name = "Create Account" @@ -124,3 +129,21 @@ reference = "https://attack.mitre.org/techniques/T1136/001/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_web_server_sus_child_spawned.toml b/rules/linux/persistence_web_server_sus_child_spawned.toml index 9bf48a74d57..96ac48f1a38 100644 --- a/rules/linux/persistence_web_server_sus_child_spawned.toml +++ b/rules/linux/persistence_web_server_sus_child_spawned.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -221,6 +221,21 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.011" +name = "Lua" +reference = "https://attack.mitre.org/techniques/T1059/011/" + [rule.threat.tactic] id = "TA0002" name = "Execution" @@ -238,3 +253,16 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/persistence_web_server_sus_command_execution.toml b/rules/linux/persistence_web_server_sus_command_execution.toml index bd1fd7cbd10..6306b468fc7 100644 --- a/rules/linux/persistence_web_server_sus_command_execution.toml +++ b/rules/linux/persistence_web_server_sus_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/04" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -223,3 +223,16 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/linux/persistence_web_server_sus_destination_port.toml b/rules/linux/persistence_web_server_sus_destination_port.toml index 1c274eb2f45..72aa174c920 100644 --- a/rules/linux/persistence_web_server_sus_destination_port.toml +++ b/rules/linux/persistence_web_server_sus_destination_port.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,11 +114,6 @@ not cidrmatch(destination.ip, "127.0.0.0/8", "::1","FE80::/10", "FF00::/8", "10. [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Persistence" -id = "TA0003" -reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat.technique]] id = "T1505" name = "Server Software Component" @@ -129,14 +124,14 @@ id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" @@ -147,15 +142,25 @@ id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Command and Control" -id = "TA0011" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] -name = "Application Layer Protocol" id = "T1071" +name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/linux/persistence_web_server_unusual_command_execution.toml b/rules/linux/persistence_web_server_unusual_command_execution.toml index e8c298819bd..cda9c6e04cf 100644 --- a/rules/linux/persistence_web_server_unusual_command_execution.toml +++ b/rules/linux/persistence_web_server_unusual_command_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -143,6 +143,18 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["process.command_line"] diff --git a/rules/linux/persistence_xdg_autostart_netcon.toml b/rules/linux/persistence_xdg_autostart_netcon.toml index d51e8ec2ee0..a7011c3c5a7 100644 --- a/rules/linux/persistence_xdg_autostart_netcon.toml +++ b/rules/linux/persistence_xdg_autostart_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -151,3 +151,21 @@ reference = "https://attack.mitre.org/techniques/T1547/013/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml index cfc4377bf4d..57be4ef8581 100644 --- a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml +++ b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/25" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -154,6 +154,11 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index bfc29e3bbe6..111a373cf05 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,3 +138,21 @@ reference = "https://attack.mitre.org/techniques/T1003/008/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_container_util_misconfiguration.toml b/rules/linux/privilege_escalation_container_util_misconfiguration.toml index e7e9e00b5ab..ea17cb60ff5 100644 --- a/rules/linux/privilege_escalation_container_util_misconfiguration.toml +++ b/rules/linux/privilege_escalation_container_util_misconfiguration.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,3 +123,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml b/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml index 1e3ddd54ee1..297133b5d36 100644 --- a/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml +++ b/rules/linux/privilege_escalation_cve_2025_32463_nsswitch_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/01" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,6 +119,16 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml b/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml index cbb17f3d837..173b44030b1 100644 --- a/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml +++ b/rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/01" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/10/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,7 +118,35 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml b/rules/linux/privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml index b3c53534dd7..0ad192c73af 100644 --- a/rules/linux/privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml +++ b/rules/linux/privilege_escalation_cve_2025_41244_vmtoolsd_lpe.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/30" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,6 +142,16 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.007" +name = "Path Interception by PATH Environment Variable" +reference = "https://attack.mitre.org/techniques/T1574/007/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_dac_permissions.toml b/rules/linux/privilege_escalation_dac_permissions.toml index d6e99458e84..485d724da6d 100644 --- a/rules/linux/privilege_escalation_dac_permissions.toml +++ b/rules/linux/privilege_escalation_dac_permissions.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -127,6 +127,33 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["process.name"] diff --git a/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml b/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml index 94a0637e997..22e78454d57 100644 --- a/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml +++ b/rules/linux/privilege_escalation_debugfs_launched_inside_container.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,3 +113,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_docker_release_file_creation.toml b/rules/linux/privilege_escalation_docker_release_file_creation.toml index 13bfdf602c9..e919be74c9a 100644 --- a/rules/linux/privilege_escalation_docker_release_file_creation.toml +++ b/rules/linux/privilege_escalation_docker_release_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,6 +78,11 @@ not process.executable in ("/usr/bin/podman", "/sbin/sos", "/sbin/sosreport", "/ [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" @@ -87,3 +92,16 @@ reference = "https://attack.mitre.org/techniques/T1611/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/privilege_escalation_enlightenment_window_manager.toml b/rules/linux/privilege_escalation_enlightenment_window_manager.toml index 163762f1cb3..4d7848f815a 100644 --- a/rules/linux/privilege_escalation_enlightenment_window_manager.toml +++ b/rules/linux/privilege_escalation_enlightenment_window_manager.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,14 +102,23 @@ Enlightenment, a Linux window manager, can be exploited for privilege escalation [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml index d9f136f68e5..8de88108c11 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,24 +104,28 @@ The CAP_SYS_PTRACE capability in Linux allows processes to trace and control oth [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml index b03edb7d5b6..8e85be5293b 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,53 +106,72 @@ GDB, a debugger, can be granted the CAP_SYS_PTRACE capability, allowing it to tr [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[[rule.threat.technique.subtechnique]] +id = "T1055.008" +name = "Ptrace System Calls" +reference = "https://attack.mitre.org/techniques/T1055/008/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_kworker_uid_elevation.toml b/rules/linux/privilege_escalation_kworker_uid_elevation.toml index 5c695d128cc..f82fe71622b 100644 --- a/rules/linux/privilege_escalation_kworker_uid_elevation.toml +++ b/rules/linux/privilege_escalation_kworker_uid_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,31 +102,41 @@ Kworker processes are integral to Linux, handling tasks like interrupts and back [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.013" name = "KernelCallbackTable" reference = "https://attack.mitre.org/techniques/T1574/013/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1014" name = "Rootkit" reference = "https://attack.mitre.org/techniques/T1014/" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 046ac09030c..88dcfc8a949 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,6 +129,41 @@ id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index af3b13bbbe3..7b6c41b148e 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,6 +122,11 @@ id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -144,3 +149,29 @@ reference = "https://attack.mitre.org/techniques/T1003/008/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index e2af607fc77..247f7568715 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,6 +153,11 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + [[rule.threat.technique]] id = "T1601" name = "Modify System Image" diff --git a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml index 7f703f3cf39..8a26e54fea9 100644 --- a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml +++ b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -114,14 +114,23 @@ CVE-2023-4911 exploits a buffer overflow in the GNU C Library's dynamic loader, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index c7b540738b2..fa85b1fcacc 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,14 +105,18 @@ OverlayFS is a union filesystem used in Linux environments to overlay one filesy [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 9df3d417f82..bbffa62b3bf 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/26" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,31 +100,46 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [[rule.threat.technique.subtechnique]] id = "T1574.007" name = "Path Interception by PATH Environment Variable" reference = "https://attack.mitre.org/techniques/T1574/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml index f7d626e37d7..3b93dd57a3c 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -168,3 +168,21 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml b/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml index 6073256d5ec..04869b7baed 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -156,12 +156,22 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -name = "Defense Evasion" -id = "TA0005" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index c214967001f..c2e9257195e 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/28" integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,6 +131,16 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index d916e1256e9..f7950400278 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,3 +117,29 @@ reference = "https://attack.mitre.org/techniques/T1078/003/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_snap_confine_lpe_via_cve_2026_3888.toml b/rules/linux/privilege_escalation_snap_confine_lpe_via_cve_2026_3888.toml index 84c02d17563..789d6a14b7c 100644 --- a/rules/linux/privilege_escalation_snap_confine_lpe_via_cve_2026_3888.toml +++ b/rules/linux/privilege_escalation_snap_confine_lpe_via_cve_2026_3888.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,11 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index c90a6990fbb..c7384b9670d 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/30" integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,16 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index b137cf4d019..5d26914be44 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -133,6 +133,11 @@ id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -150,3 +155,16 @@ reference = "https://attack.mitre.org/techniques/T1574/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1056" +name = "Input Capture" +reference = "https://attack.mitre.org/techniques/T1056/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index 5ea5e75e9e2..feb099acfe7 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,29 +103,56 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" - [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[[rule.threat.technique.subtechnique]] +id = "T1055.008" +name = "Ptrace System Calls" +reference = "https://attack.mitre.org/techniques/T1055/008/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml index a679ec48580..a15937e4c28 100644 --- a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml +++ b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,3 +122,21 @@ reference = "https://attack.mitre.org/techniques/T1548/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml index 0035cfea05d..c6754a242a6 100644 --- a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,14 +109,36 @@ In Linux, CAP_CHOWN and CAP_FOWNER are capabilities that allow processes to chan [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml index 923962a5d96..20c3a9c7a7c 100644 --- a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml +++ b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/22" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,14 +124,31 @@ In Linux environments, the `/etc/passwd` file is crucial for managing user accou [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[[rule.threat.technique.subtechnique]] +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml index a179911f656..2c32e927a08 100644 --- a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -141,3 +141,21 @@ reference = "https://attack.mitre.org/techniques/T1548/001/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_uid_change_post_compilation.toml b/rules/linux/privilege_escalation_uid_change_post_compilation.toml index 8a74ae8f836..34b21863ace 100644 --- a/rules/linux/privilege_escalation_uid_change_post_compilation.toml +++ b/rules/linux/privilege_escalation_uid_change_post_compilation.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,6 +110,16 @@ id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml index 46af7128890..31c8199b6ec 100644 --- a/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml +++ b/rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,6 +115,16 @@ and process.parent.name:("bash" or "dash" or "sh" or "tcsh" or "csh" or "zsh" or [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -142,7 +152,6 @@ reference = "https://attack.mitre.org/techniques/T1014/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index 05c5c6f2abf..98ed00988c7 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,6 +125,11 @@ id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_writable_docker_socket.toml b/rules/linux/privilege_escalation_writable_docker_socket.toml index 7b9152ef549..a19944f3bd7 100644 --- a/rules/linux/privilege_escalation_writable_docker_socket.toml +++ b/rules/linux/privilege_escalation_writable_docker_socket.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/25" integration = ["endpoint", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,14 +107,26 @@ Docker sockets facilitate communication between the Docker client and daemon, ty [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1610" +name = "Deploy Container" +reference = "https://attack.mitre.org/techniques/T1610/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/collection_discovery_output_written_to_suspicious_file.toml b/rules/macos/collection_discovery_output_written_to_suspicious_file.toml index 298a32c90fc..040480b43bf 100644 --- a/rules/macos/collection_discovery_output_written_to_suspicious_file.toml +++ b/rules/macos/collection_discovery_output_written_to_suspicious_file.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,30 +75,40 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Collection" - id = "TA0009" - reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" - [[rule.threat.technique]] - name = "Data Staged" - id = "T1074" - reference = "https://attack.mitre.org/techniques/T1074/" +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" - [[rule.threat.technique.subtechnique]] - name = "Local Data Staging" - id = "T1074.001" - reference = "https://attack.mitre.org/techniques/T1074/001/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Discovery" - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" - - [[rule.threat.technique]] - name = "System Information Discovery" - id = "T1082" - reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/macos/collection_sensitive_file_access_followed_by_compression.toml b/rules/macos/collection_sensitive_file_access_followed_by_compression.toml index 68fa16c9024..27155e6e4f8 100644 --- a/rules/macos/collection_sensitive_file_access_followed_by_compression.toml +++ b/rules/macos/collection_sensitive_file_access_followed_by_compression.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,30 +80,35 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Collection" - id = "TA0009" - reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" - [[rule.threat.technique]] - name = "Data Staged" - id = "T1074" - reference = "https://attack.mitre.org/techniques/T1074/" +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" - [[rule.threat.technique.subtechnique]] - name = "Local Data Staging" - id = "T1074.001" - reference = "https://attack.mitre.org/techniques/T1074/001/" +[[rule.threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" - [[rule.threat.technique]] - name = "Archive Collected Data" - id = "T1560" - reference = "https://attack.mitre.org/techniques/T1560/" +[[rule.threat.technique]] +id = "T1560" +name = "Archive Collected Data" +reference = "https://attack.mitre.org/techniques/T1560/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/macos/command_and_control_aws_s3_connection_via_script.toml b/rules/macos/command_and_control_aws_s3_connection_via_script.toml index 2128dd0828a..3b50a6efad2 100644 --- a/rules/macos/command_and_control_aws_s3_connection_via_script.toml +++ b/rules/macos/command_and_control_aws_s3_connection_via_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,30 +78,58 @@ FROM logs-endpoint.events.network-* [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" - [[rule.threat.technique]] - name = "Exfiltration Over Web Service" - id = "T1567" - reference = "https://attack.mitre.org/techniques/T1567/" +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" - [[rule.threat.technique.subtechnique]] - name = "Exfiltration to Cloud Storage" - id = "T1567.002" - reference = "https://attack.mitre.org/techniques/T1567/002/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/command_and_control_google_calendar_c2_via_script.toml b/rules/macos/command_and_control_google_calendar_c2_via_script.toml index 9d68b0d613a..38e50b72a18 100644 --- a/rules/macos/command_and_control_google_calendar_c2_via_script.toml +++ b/rules/macos/command_and_control_google_calendar_c2_via_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,40 +83,50 @@ sequence by process.entity_id with maxspan=20s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique.subtechnique]] +id = "T1102.001" +name = "Dead Drop Resolver" +reference = "https://attack.mitre.org/techniques/T1102/001/" - [[rule.threat.technique.subtechnique]] - name = "Bidirectional Communication" - id = "T1102.002" - reference = "https://attack.mitre.org/techniques/T1102/002/" +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" - - [[rule.threat.technique.subtechnique]] - name = "JavaScript" - id = "T1059.007" - reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/command_and_control_network_connection_to_oast_domain.toml b/rules/macos/command_and_control_network_connection_to_oast_domain.toml index 0da1e9b9455..3b29be346b3 100644 --- a/rules/macos/command_and_control_network_connection_to_oast_domain.toml +++ b/rules/macos/command_and_control_network_connection_to_oast_domain.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -77,25 +77,56 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Exfiltration" - id = "TA0010" - reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" - [[rule.threat.technique]] - name = "Exfiltration Over Web Service" - id = "T1567" - reference = "https://attack.mitre.org/techniques/T1567/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" + +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/macos/command_and_control_perl_outbound_network_connection.toml b/rules/macos/command_and_control_perl_outbound_network_connection.toml index 5241029aa80..e3fa344b232 100644 --- a/rules/macos/command_and_control_perl_outbound_network_connection.toml +++ b/rules/macos/command_and_control_perl_outbound_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,30 +74,35 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - name = "Application Layer Protocol" - id = "T1071" - reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" - [[rule.threat.technique.subtechnique]] - name = "Web Protocols" - id = "T1071.001" - reference = "https://attack.mitre.org/techniques/T1071/001/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/command_and_control_potential_etherhiding_c2.toml b/rules/macos/command_and_control_potential_etherhiding_c2.toml index d6eb9a913f6..dfa3fa46769 100644 --- a/rules/macos/command_and_control_potential_etherhiding_c2.toml +++ b/rules/macos/command_and_control_potential_etherhiding_c2.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,45 +80,55 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique.subtechnique]] +id = "T1102.001" +name = "Dead Drop Resolver" +reference = "https://attack.mitre.org/techniques/T1102/001/" - [[rule.threat.technique.subtechnique]] - name = "Bidirectional Communication" - id = "T1102.002" - reference = "https://attack.mitre.org/techniques/T1102/002/" +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Unix Shell" - id = "T1059.004" - reference = "https://attack.mitre.org/techniques/T1059/004/" - - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" - - [[rule.threat.technique.subtechnique]] - name = "JavaScript" - id = "T1059.007" - reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/command_and_control_script_interpreter_connection_to_non_standard_port.toml b/rules/macos/command_and_control_script_interpreter_connection_to_non_standard_port.toml index d4ff78d4875..ce91f8fa55a 100644 --- a/rules/macos/command_and_control_script_interpreter_connection_to_non_standard_port.toml +++ b/rules/macos/command_and_control_script_interpreter_connection_to_non_standard_port.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,35 +83,40 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" - [[rule.threat.technique]] - name = "Non-Standard Port" - id = "T1571" - reference = "https://attack.mitre.org/techniques/T1571/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" - - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" - - [[rule.threat.technique.subtechnique]] - name = "JavaScript" - id = "T1059.007" - reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml b/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml index 06b8d5ebbe5..17e43a7bf0f 100644 --- a/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml +++ b/rules/macos/command_and_control_suspicious_curl_from_macos_application.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,12 +86,40 @@ process where host.os.type == "macos" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" - [[rule.threat.technique]] - name = "Ingress Tool Transfer" - id = "T1105" - reference = "https://attack.mitre.org/techniques/T1105/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" + +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml b/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml index ba69a5cda68..6ad7cd47925 100644 --- a/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml +++ b/rules/macos/command_and_control_suspicious_curl_to_google_app_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,22 +80,32 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" - - [[rule.threat.technique]] - name = "Ingress Tool Transfer" - id = "T1105" - reference = "https://attack.mitre.org/techniques/T1105/" - - [[rule.threat.technique]] - name = "Web Service" - id = "T1102" - reference = "https://attack.mitre.org/techniques/T1102/" - - [[rule.threat.technique.subtechnique]] - name = "Bidirectional Communication" - id = "T1102.002" - reference = "https://attack.mitre.org/techniques/T1102/002/" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/macos/command_and_control_suspicious_outbound_network_via_unsigned_binary.toml b/rules/macos/command_and_control_suspicious_outbound_network_via_unsigned_binary.toml index fa4d92218ac..8e423be320a 100644 --- a/rules/macos/command_and_control_suspicious_outbound_network_via_unsigned_binary.toml +++ b/rules/macos/command_and_control_suspicious_outbound_network_via_unsigned_binary.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,12 +85,30 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" - [[rule.threat.technique]] - name = "Non-Standard Port" - id = "T1571" - reference = "https://attack.mitre.org/techniques/T1571/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" + +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml b/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml index 9a0859fd9b0..1fbe462cdbd 100644 --- a/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml +++ b/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/26" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -188,11 +188,43 @@ id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.003" +name = "Exfiltration to Text Storage Sites" +reference = "https://attack.mitre.org/techniques/T1567/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.004" +name = "Exfiltration Over Webhook" +reference = "https://attack.mitre.org/techniques/T1567/004/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "destination.domain"] diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index 11e5309dca4..f3f8506634b 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,14 +100,18 @@ In macOS environments, built-in commands like `defaults` and `mkpassdb` can be e [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/macos/credential_access_high_volume_of_pbpaste.toml b/rules/macos/credential_access_high_volume_of_pbpaste.toml index 8cf8dad2102..113d70f61fe 100644 --- a/rules/macos/credential_access_high_volume_of_pbpaste.toml +++ b/rules/macos/credential_access_high_volume_of_pbpaste.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/12" integration = ["endpoint", "jamf_protect"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.investigate]] @@ -108,14 +108,26 @@ sequence by host.hostname, host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1056" name = "Input Capture" reference = "https://attack.mitre.org/techniques/T1056/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1115" +name = "Clipboard Data" +reference = "https://attack.mitre.org/techniques/T1115/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index e566cdb00e5..3c279360921 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,6 +101,7 @@ Kerberos is a network authentication protocol designed to provide secure identit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" @@ -110,15 +111,18 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.003" name = "Kerberoasting" reference = "https://attack.mitre.org/techniques/T1558/003/" - +[[rule.threat.technique.subtechnique]] +id = "T1558.005" +name = "Ccache Files" +reference = "https://attack.mitre.org/techniques/T1558/005/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index d1bc68892c1..938f9779c37 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,29 +107,23 @@ Keychain is macOS's secure storage system for managing user credentials, includi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.001" name = "Keychain" reference = "https://attack.mitre.org/techniques/T1555/001/" - -[[rule.threat.technique]] -id = "T1555" -name = "Credentials from Password Stores" -reference = "https://attack.mitre.org/techniques/T1555/" [[rule.threat.technique.subtechnique]] id = "T1555.003" name = "Credentials from Web Browsers" reference = "https://attack.mitre.org/techniques/T1555/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 356443d7e15..dadd11cd20e 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,14 +103,31 @@ Web proxy settings in macOS manage how web traffic is routed, often used to enha [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1539/" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml index 87666419b43..15af0dc3469 100644 --- a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,17 +97,29 @@ SSH (Secure Shell) is a protocol used to securely access remote systems. On macO [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.threshold] field = ["host.id"] value = 20 diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index 24d5fa1fbd2..4cfbb25cd96 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -112,19 +112,36 @@ OSASCRIPT is a macOS utility that allows the execution of AppleScript and other [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1056" name = "Input Capture" reference = "https://attack.mitre.org/techniques/T1056/" + [[rule.threat.technique.subtechnique]] id = "T1056.002" name = "GUI Input Capture" reference = "https://attack.mitre.org/techniques/T1056/002/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml b/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml index 26ee109c54d..7a1234c88ea 100644 --- a/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml +++ b/rules/macos/credential_access_python_sensitive_file_access_first_occurrence.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,20 +73,46 @@ process.name:python* [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.001" name = "Keychain" reference = "https://attack.mitre.org/techniques/T1555/001/" +[[rule.threat.technique]] +id = "T1558" +name = "Steal or Forge Kerberos Tickets" +reference = "https://attack.mitre.org/techniques/T1558/" + +[[rule.threat.technique.subtechnique]] +id = "T1558.005" +name = "Ccache Files" +reference = "https://attack.mitre.org/techniques/T1558/005/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path"] diff --git a/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml b/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml index 9bc52f1784b..535d1743a39 100644 --- a/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml +++ b/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,6 +105,7 @@ Web browsers store sensitive data like cookies and login credentials in specific [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1539" name = "Steal Web Session Cookie" @@ -114,15 +115,26 @@ reference = "https://attack.mitre.org/techniques/T1539/" id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.003" name = "Credentials from Web Browsers" reference = "https://attack.mitre.org/techniques/T1555/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index 0ce7fb22576..1f86c92819d 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,31 @@ macOS keychains securely store user credentials, including passwords and certifi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.001" name = "Keychain" reference = "https://attack.mitre.org/techniques/T1555/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index 744d460b16f..379b50eb32c 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,23 @@ In macOS environments, the SoftwareUpdate preferences manage system updates, cru [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique]] +id = "T1647" +name = "Plist File Modification" +reference = "https://attack.mitre.org/techniques/T1647/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 2a5331cde71..5f07e83525a 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,19 +107,28 @@ In macOS, files downloaded from the internet are tagged with a quarantine attrib [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" + +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index d56533056a0..c5a7587ca5d 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,14 +102,18 @@ Gatekeeper is a macOS security feature that ensures only trusted software runs b [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_dylib_injection_via_env_vars.toml b/rules/macos/defense_evasion_dylib_injection_via_env_vars.toml index 65c5732f957..115d5925383 100644 --- a/rules/macos/defense_evasion_dylib_injection_via_env_vars.toml +++ b/rules/macos/defense_evasion_dylib_injection_via_env_vars.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,35 +89,53 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" - [[rule.threat.technique]] - name = "Hijack Execution Flow" - id = "T1574" - reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" - [[rule.threat.technique.subtechnique]] - name = "Dynamic Linker Hijacking" - id = "T1574.006" - reference = "https://attack.mitre.org/techniques/T1574/006/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml b/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml index 026222507de..4293e385f82 100644 --- a/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml +++ b/rules/macos/defense_evasion_gatekeeper_override_and_execution.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,27 +76,45 @@ configuration where host.os.type == "macos" and event.action == "gatekeeper_over [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" - - [[rule.threat.technique]] - name = "Impair Defenses" - id = "T1562" - reference = "https://attack.mitre.org/techniques/T1562/" - - [[rule.threat.technique.subtechnique]] - name = "Disable or Modify Tools" - id = "T1562.001" - reference = "https://attack.mitre.org/techniques/T1562/001/" - - [[rule.threat.technique]] - name = "Subvert Trust Controls" - id = "T1553" - reference = "https://attack.mitre.org/techniques/T1553/" - - [[rule.threat.technique.subtechnique]] - name = "Gatekeeper Bypass" - id = "T1553.001" - reference = "https://attack.mitre.org/techniques/T1553/001/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" + +[[rule.threat.technique.subtechnique]] +id = "T1553.001" +name = "Gatekeeper Bypass" +reference = "https://attack.mitre.org/techniques/T1553/001/" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index cc25b452be3..72328ff7eeb 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,19 +102,23 @@ Environment variables in macOS are crucial for configuring system and applicatio [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.006" +name = "Dynamic Linker Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/006/" + [[rule.threat.technique.subtechnique]] id = "T1574.007" name = "Path Interception by PATH Environment Variable" reference = "https://attack.mitre.org/techniques/T1574/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index 142f83f0d06..e6df1d7b6bc 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,19 +104,28 @@ The Transparency, Consent, and Control (TCC) database in macOS manages app permi [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index edcdf2e9347..cd78d6ab68b 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,26 +105,39 @@ Secure Copy Protocol (SCP) is used for secure file transfers over SSH. On macOS, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index 4a35cd07257..10e852e4536 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,23 @@ The 'defaults' command in macOS is a utility that allows users to read, write, a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - +[[rule.threat.technique]] +id = "T1647" +name = "Plist File Modification" +reference = "https://attack.mitre.org/techniques/T1647/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 308e0584ee7..7ba87ae52c0 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,14 +101,23 @@ Microsoft Office applications on macOS operate within a sandbox to limit potenti [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1497" name = "Virtualization/Sandbox Evasion" reference = "https://attack.mitre.org/techniques/T1497/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml b/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml index 03d0581f379..70b84cd9768 100644 --- a/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml +++ b/rules/macos/defense_evasion_suspicious_tcc_access_granted.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,30 +85,48 @@ FROM logs-endpoint.events.* [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique]] - name = "Abuse Elevation Control Mechanism" - id = "T1548" - reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" - [[rule.threat.technique.subtechnique]] - name = "TCC Manipulation" - id = "T1548.006" - reference = "https://attack.mitre.org/techniques/T1548/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Collection" - id = "TA0009" - reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" - [[rule.threat.technique]] - name = "Data from Local System" - id = "T1005" - reference = "https://attack.mitre.org/techniques/T1005/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index 78f98ad6975..bb9e3a4e69b 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,14 +98,26 @@ Apple's TCC framework safeguards user data by controlling app access to sensitiv [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1006" name = "Direct Volume Access" reference = "https://attack.mitre.org/techniques/T1006/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/discovery_full_disk_access_check.toml b/rules/macos/discovery_full_disk_access_check.toml index 58b259b52dd..1bd5142d126 100644 --- a/rules/macos/discovery_full_disk_access_check.toml +++ b/rules/macos/discovery_full_disk_access_check.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,30 +72,48 @@ file where host.os.type == "macos" and event.action == "open" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Discovery" - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" - [[rule.threat.technique]] - name = "File and Directory Discovery" - id = "T1083" - reference = "https://attack.mitre.org/techniques/T1083/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Defense Evasion" - id = "TA0005" - reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique]] - name = "Abuse Elevation Control Mechanism" - id = "T1548" - reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" - [[rule.threat.technique.subtechnique]] - name = "TCC Manipulation" - id = "T1548.006" - reference = "https://attack.mitre.org/techniques/T1548/006/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.006" +name = "TCC Manipulation" +reference = "https://attack.mitre.org/techniques/T1548/006/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/discovery_suspicious_sip_check.toml b/rules/macos/discovery_suspicious_sip_check.toml index cf48e7fe8b7..19b49d3f620 100644 --- a/rules/macos/discovery_suspicious_sip_check.toml +++ b/rules/macos/discovery_suspicious_sip_check.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,22 +74,40 @@ process where host.os.type == "macos" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Discovery" - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" - - [[rule.threat.technique]] - name = "System Information Discovery" - id = "T1082" - reference = "https://attack.mitre.org/techniques/T1082/" - - [[rule.threat.technique]] - name = "Virtualization/Sandbox Evasion" - id = "T1497" - reference = "https://attack.mitre.org/techniques/T1497/" - - [[rule.threat.technique.subtechnique]] - name = "System Checks" - id = "T1497.001" - reference = "https://attack.mitre.org/techniques/T1497/001/" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1497" +name = "Virtualization/Sandbox Evasion" +reference = "https://attack.mitre.org/techniques/T1497/" + +[[rule.threat.technique.subtechnique]] +id = "T1497.001" +name = "System Checks" +reference = "https://attack.mitre.org/techniques/T1497/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/discovery_system_and_network_configuration_check.toml b/rules/macos/discovery_system_and_network_configuration_check.toml index 05dfd0e7ded..4e55e3ad844 100644 --- a/rules/macos/discovery_system_and_network_configuration_check.toml +++ b/rules/macos/discovery_system_and_network_configuration_check.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -71,17 +71,17 @@ file where host.os.type == "macos" and event.action == "open" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Discovery" - id = "TA0007" - reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" - [[rule.threat.technique]] - name = "System Information Discovery" - id = "T1082" - reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" - [[rule.threat.technique]] - name = "System Network Configuration Discovery" - id = "T1016" - reference = "https://attack.mitre.org/techniques/T1016/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 6720bc025b4..d8b8d169b92 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,29 +105,38 @@ Built-in macOS commands like `ldapsearch`, `dsmemberutil`, and `dscl` are essent [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index 6ec5857b809..6ac080940fa 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,26 +103,31 @@ Electron applications, built on Node.js, can execute child processes using the ` [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index 3280689d092..e15e1221599 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,26 +106,64 @@ Web browsers are integral to user interaction with the internet, often serving a [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1189" name = "Drive-by Compromise" reference = "https://attack.mitre.org/techniques/T1189/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index f54b8347f48..3b70f10fc01 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -2,7 +2,7 @@ creation_date = "2021/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -112,36 +112,56 @@ MacOS installer packages, often with a .pkg extension, are used to distribute so [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/macos/execution_python_shell_spawn_first_occurrence.toml b/rules/macos/execution_python_shell_spawn_first_occurrence.toml index 6da50e09b03..1e674eb9dd0 100644 --- a/rules/macos/execution_python_shell_spawn_first_occurrence.toml +++ b/rules/macos/execution_python_shell_spawn_first_occurrence.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,10 +76,17 @@ not process.command_line:(*pip* or *conda* or *brew* or *jupyter*) [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + [[rule.threat.technique.subtechnique]] id = "T1059.006" name = "Python" @@ -89,7 +96,6 @@ reference = "https://attack.mitre.org/techniques/T1059/006/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.parent.executable"] diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index a5320a95420..e0a473b5ca8 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,14 +97,18 @@ Automator, a macOS utility, allows users to automate repetitive tasks through wo [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index f657656b65c..c8652253c2e 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,31 +108,36 @@ AppleScript, a scripting language for macOS, automates tasks by controlling appl [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.002" name = "AppleScript" reference = "https://attack.mitre.org/techniques/T1059/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index 03218b38b18..3c9e5a49850 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,14 +101,23 @@ AppleScript and JXA are scripting languages used in macOS to automate tasks and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/execution_unusual_library_load_via_python.toml b/rules/macos/execution_unusual_library_load_via_python.toml index 99c96e54eed..74c7555e5d1 100644 --- a/rules/macos/execution_unusual_library_load_via_python.toml +++ b/rules/macos/execution_unusual_library_load_via_python.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,17 +82,22 @@ library where host.os.type == "macos" and event.action == "load" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique]] - name = "Command and Scripting Interpreter" - id = "T1059" - reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" - [[rule.threat.technique.subtechnique]] - name = "Python" - id = "T1059.006" - reference = "https://attack.mitre.org/techniques/T1059/006/" +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index b89f017f619..e7f5358d96b 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -164,19 +164,61 @@ Microsoft Office applications on macOS can be exploited by adversaries to execut [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index 23775e46154..2050d05ec37 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,36 +103,79 @@ Kerberos is a network authentication protocol designed to provide secure identit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.002" +name = "Pass the Hash" +reference = "https://attack.mitre.org/techniques/T1550/002/" + [[rule.threat.technique.subtechnique]] id = "T1550.003" name = "Pass the Ticket" reference = "https://attack.mitre.org/techniques/T1550/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.003" name = "Kerberoasting" reference = "https://attack.mitre.org/techniques/T1558/003/" - +[[rule.threat.technique.subtechnique]] +id = "T1558.005" +name = "Ccache Files" +reference = "https://attack.mitre.org/techniques/T1558/005/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.002" +name = "Pass the Hash" +reference = "https://attack.mitre.org/techniques/T1550/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.003" +name = "Pass the Ticket" +reference = "https://attack.mitre.org/techniques/T1550/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 5d7922d88c6..f8bc0af0692 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,19 +101,31 @@ The `systemsetup` command in macOS is a utility that allows administrators to co [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml b/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml index e96f7b9451c..24db77448d6 100644 --- a/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml +++ b/rules/macos/lateral_movement_suspicious_curl_to_jamf_endpoint.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,25 +78,45 @@ process where host.os.type == "macos" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Lateral Movement" - id = "TA0008" - reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat.technique]] +id = "T1072" +name = "Software Deployment Tools" +reference = "https://attack.mitre.org/techniques/T1072/" - [[rule.threat.technique]] - name = "Software Deployment Tools" - id = "T1072" - reference = "https://attack.mitre.org/techniques/T1072/" +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" - - [[rule.threat.technique]] - name = "Software Deployment Tools" - id = "T1072" - reference = "https://attack.mitre.org/techniques/T1072/" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[[rule.threat.technique]] +id = "T1072" +name = "Software Deployment Tools" +reference = "https://attack.mitre.org/techniques/T1072/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 448fb9b9bff..c284bdb2415 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,14 +105,26 @@ Virtual Private Networks (VPNs) are used to securely connect to remote networks, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 8ffa3621827..aad29d1ee6c 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,19 +98,46 @@ In macOS environments, the `dscl` command-line utility manages directory service [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" +[[rule.threat.technique.subtechnique]] +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.002" +name = "Hidden Users" +reference = "https://attack.mitre.org/techniques/T1564/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/persistence_apple_mail_rule_modification.toml b/rules/macos/persistence_apple_mail_rule_modification.toml index 4e7a49b2daa..5c61bee11fd 100644 --- a/rules/macos/persistence_apple_mail_rule_modification.toml +++ b/rules/macos/persistence_apple_mail_rule_modification.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,25 +81,38 @@ file where host.os.type == "macos" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique]] - name = "Event Triggered Execution" - id = "T1546" - reference = "https://attack.mitre.org/techniques/T1546/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Execution" - id = "TA0002" - reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" - [[rule.threat.technique]] - name = "User Execution" - id = "T1204" - reference = "https://attack.mitre.org/techniques/T1204/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1647" +name = "Plist File Modification" +reference = "https://attack.mitre.org/techniques/T1647/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index 25970d8647b..b194c48c852 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,41 @@ Launch Agents in macOS are used to execute scripts or applications automatically [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.001" name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.001" +name = "Launchctl" +reference = "https://attack.mitre.org/techniques/T1569/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index 1dd6607c7eb..374da22f80c 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,43 +97,49 @@ AppleScript is a scripting language for automating tasks on macOS, including man [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.015" +name = "Login Items" +reference = "https://attack.mitre.org/techniques/T1547/015/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.002" name = "AppleScript" reference = "https://attack.mitre.org/techniques/T1059/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1647" name = "Plist File Modification" reference = "https://attack.mitre.org/techniques/T1647/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 15e61637816..2dc6bcf3a2c 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,19 +103,31 @@ Authorization plugins in macOS extend authentication capabilities, enabling feat [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.002" name = "Authentication Package" reference = "https://attack.mitre.org/techniques/T1547/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index 0fd47fdaa86..3610bd457f7 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,36 @@ Cron is a time-based job scheduler in Unix-like operating systems, including mac [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/persistence_curl_execution_via_shell_profile.toml b/rules/macos/persistence_curl_execution_via_shell_profile.toml index 7be128e76cb..0d180ea6743 100644 --- a/rules/macos/persistence_curl_execution_via_shell_profile.toml +++ b/rules/macos/persistence_curl_execution_via_shell_profile.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,30 +81,48 @@ sequence with maxspan=10s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique]] - name = "Event Triggered Execution" - id = "T1546" - reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.004" +name = "Unix Shell Configuration Modification" +reference = "https://attack.mitre.org/techniques/T1546/004/" - [[rule.threat.technique.subtechnique]] - name = "Unix Shell Configuration Modification" - id = "T1546.004" - reference = "https://attack.mitre.org/techniques/T1546/004/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Command and Control" - id = "TA0011" - reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" - [[rule.threat.technique]] - name = "Ingress Tool Transfer" - id = "T1105" - reference = "https://attack.mitre.org/techniques/T1105/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index 1feff70a4d6..40c2556197f 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,36 +103,41 @@ Launchd is a key macOS system process responsible for managing system and user s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.001" name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index 851527cc2f2..6a540301235 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,14 +98,18 @@ DirectoryService PlugIns on macOS are integral for managing directory-based serv [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index 60cccae6d72..5e68169bfdf 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,14 +102,23 @@ Docker shortcuts on macOS are managed through dock property lists, which define [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.009" +name = "Shortcut Modification" +reference = "https://attack.mitre.org/techniques/T1547/009/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index aceae728df5..d163f01c87e 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,19 +99,36 @@ The Event Monitor Daemon (emond) on macOS is a service that executes commands ba [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.014" name = "Emond" reference = "https://attack.mitre.org/techniques/T1546/014/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.014" +name = "Emond" +reference = "https://attack.mitre.org/techniques/T1546/014/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index 4a0d2d1ddfe..d311934e05e 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,19 +125,69 @@ The Event Monitor Daemon (emond) on macOS is a service that executes commands ba [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.014" name = "Emond" reference = "https://attack.mitre.org/techniques/T1546/014/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.014" +name = "Emond" +reference = "https://attack.mitre.org/techniques/T1546/014/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index 5e06d5edddf..aff54dfac33 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,19 +97,36 @@ In macOS environments, the root account is typically disabled to enhance securit [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 49dd1c7435c..a6a9cae0368 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,36 +101,41 @@ Launch agents and daemons in macOS are background services that start at login o [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.001" name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" + [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 46944a678eb..d790a233ae0 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,26 +101,31 @@ Folder Action scripts on macOS automate tasks by executing scripts when folder c [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 40020db35c3..4de5c5b0c7f 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,14 +108,18 @@ In macOS environments, login and logout hooks are scripts executed automatically [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique.subtechnique]] +id = "T1037.002" +name = "Login Hook" +reference = "https://attack.mitre.org/techniques/T1037/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 7603cbada1f..e85b2d8c0c3 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -67,26 +67,36 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.002" +name = "Login Hook" +reference = "https://attack.mitre.org/techniques/T1037/002/" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1647" name = "Plist File Modification" reference = "https://attack.mitre.org/techniques/T1647/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/macos/persistence_manual_chromium_extension_loading.toml b/rules/macos/persistence_manual_chromium_extension_loading.toml index 245e2cd90cc..07e4a9a4fee 100644 --- a/rules/macos/persistence_manual_chromium_extension_loading.toml +++ b/rules/macos/persistence_manual_chromium_extension_loading.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,25 +86,43 @@ process where host.os.type == "macos" and event.action == "exec" and [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1176" +name = "Software Extensions" +reference = "https://attack.mitre.org/techniques/T1176/" - [[rule.threat.technique]] - name = "Software Extensions" - id = "T1176" - reference = "https://attack.mitre.org/techniques/T1176/" +[[rule.threat.technique.subtechnique]] +id = "T1176.001" +name = "Browser Extensions" +reference = "https://attack.mitre.org/techniques/T1176/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Credential Access" - id = "TA0006" - reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat.technique]] +id = "T1185" +name = "Browser Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1185/" - [[rule.threat.technique]] - name = "Steal Web Session Cookie" - id = "T1539" - reference = "https://attack.mitre.org/techniques/T1539/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml b/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml index 2c5cd8c4634..af2fe4da7d7 100644 --- a/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml +++ b/rules/macos/persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -73,20 +73,26 @@ process.name:python* [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.001" name = "Launch Agent" reference = "https://attack.mitre.org/techniques/T1543/001/" +[[rule.threat.technique.subtechnique]] +id = "T1543.004" +name = "Launch Daemon" +reference = "https://attack.mitre.org/techniques/T1543/004/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.path"] diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index 44791980400..f3d28e5dedf 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,14 +101,18 @@ file where host.os.type == "macos" and event.action == "modification" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.002" +name = "Screensaver" +reference = "https://attack.mitre.org/techniques/T1546/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/persistence_suspicious_file_creation_via_pkg_install_script.toml b/rules/macos/persistence_suspicious_file_creation_via_pkg_install_script.toml index fac9eb9b6b7..541eca18fa0 100644 --- a/rules/macos/persistence_suspicious_file_creation_via_pkg_install_script.toml +++ b/rules/macos/persistence_suspicious_file_creation_via_pkg_install_script.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/30" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,17 +88,35 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" - [rule.threat.tactic] - name = "Persistence" - id = "TA0003" - reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique]] - name = "Event Triggered Execution" - id = "T1546" - reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.016" +name = "Installer Packages" +reference = "https://attack.mitre.org/techniques/T1546/016/" - [[rule.threat.technique.subtechnique]] - name = "Installer Packages" - id = "T1546.016" - reference = "https://attack.mitre.org/techniques/T1546/016/" +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index eff66a14bca..20a55491fb9 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/21" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,14 +102,18 @@ Atom, a popular text editor, allows customization via the `init.coffee` script, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index ca5bd4627c0..154da364854 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,26 +99,41 @@ AppleScript, a scripting language for macOS, automates tasks by controlling appl [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.004" +name = "Elevated Execution with Prompt" +reference = "https://attack.mitre.org/techniques/T1548/004/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index f295bcc10c8..495b1af36f8 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,6 +104,7 @@ In macOS environments, the `security_authtrampoline` process is used to execute [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" @@ -113,27 +114,46 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.004" name = "Elevated Execution with Prompt" reference = "https://attack.mitre.org/techniques/T1548/004/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.006" +name = "Python" +reference = "https://attack.mitre.org/techniques/T1059/006/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index 0b7b102ae56..9652b050d48 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,19 +101,28 @@ In macOS environments, tools like `dscl` and `dseditgroup` manage user group mem [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/macos/privilege_escalation_user_added_to_admin_group.toml b/rules/macos/privilege_escalation_user_added_to_admin_group.toml index eb4046a403c..70e4595fc79 100644 --- a/rules/macos/privilege_escalation_user_added_to_admin_group.toml +++ b/rules/macos/privilege_escalation_user_added_to_admin_group.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/12" integration = ["jamf_protect"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.investigate]] @@ -103,19 +103,28 @@ configuration where host.os.type == "macos" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 677898f0c23..6e0dfd19402 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -116,14 +116,36 @@ DNS tunneling exploits the DNS protocol to covertly transmit data between a comp - Coordinate with IT and security teams to apply necessary patches and updates to the affected system to close any vulnerabilities exploited by the attacker.""" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index bc5e9a0574f..f2fe9d6cf36 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -119,19 +119,49 @@ DNS is crucial for translating domain names into IP addresses, enabling network - Update and enhance DNS monitoring rules to detect similar unusual DNS activity in the future, ensuring rapid identification and response to potential threats.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.004" name = "DNS" reference = "https://attack.mitre.org/techniques/T1071/004/" - +[[rule.threat.technique]] +id = "T1568" +name = "Dynamic Resolution" +reference = "https://attack.mitre.org/techniques/T1568/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index 390ff8b41e2..a48e00fa0ee 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -123,19 +123,36 @@ The 'Unusual Web Request' detection leverages machine learning to identify rare - Review and update firewall and intrusion detection/prevention system (IDS/IPS) rules to better detect and block uncommon URLs associated with command-and-control activities.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - +[[rule.threat.technique]] +id = "T1102" +name = "Web Service" +reference = "https://attack.mitre.org/techniques/T1102/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1189" +name = "Drive-by Compromise" +reference = "https://attack.mitre.org/techniques/T1189/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index 254e2a72443..30ca95d7d81 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -133,14 +133,23 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index e2c5d123724..9fad9a30e9a 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -135,14 +135,31 @@ The 'Spike in Logon Events' detection leverages machine learning to identify ano - Enhance monitoring and alerting mechanisms to detect similar spikes in logon events in the future, ensuring rapid response to potential threats.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index 3305439fe96..1e36cec12c9 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -127,22 +127,30 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" @@ -153,10 +161,7 @@ id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index 999853954af..fb80318ed02 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -115,19 +115,31 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.005" name = "Cloud Instance Metadata API" reference = "https://attack.mitre.org/techniques/T1552/005/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index af93615b61d..300b735984c 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -120,19 +120,36 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 0157a2de1c2..25ab0ac2b9e 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -132,14 +132,26 @@ Machine learning models analyze login patterns to identify atypical IP addresses - Implement IP whitelisting or geofencing rules to restrict access from unexpected locations, enhancing future detection and prevention.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index b4a53fb620b..d75624732fc 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -89,14 +89,31 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/ml/ml_high_count_events_for_a_host_name.toml b/rules/ml/ml_high_count_events_for_a_host_name.toml index 3af1d24172b..4baed3cf752 100644 --- a/rules/ml/ml_high_count_events_for_a_host_name.toml +++ b/rules/ml/ml_high_count_events_for_a_host_name.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -95,23 +95,23 @@ The detection of a spike in host-based traffic leverages machine learning to ide [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1498" @@ -123,28 +123,59 @@ id = "T1499" name = "Endpoint Denial of Service" reference = "https://attack.mitre.org/techniques/T1499/" +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + [[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index 39e7bd4d1f3..0cd21f75e73 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -114,62 +114,67 @@ Firewalls and ACLs are critical in controlling network traffic, blocking unautho [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" - [[rule.threat.technique]] id = "T1590" name = "Gather Victim Network Information" reference = "https://attack.mitre.org/techniques/T1590/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" [rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1498" @@ -181,3 +186,7 @@ id = "T1499" name = "Endpoint Denial of Service" reference = "https://attack.mitre.org/techniques/T1499/" +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index be92e900df7..c6d68ce99dd 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -121,11 +121,6 @@ In Linux environments, network ports facilitate communication between applicatio [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" @@ -136,9 +131,24 @@ id = "T1571" name = "Non-Standard Port" reference = "https://attack.mitre.org/techniques/T1571/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1205" +name = "Traffic Signaling" +reference = "https://attack.mitre.org/techniques/T1205/" + +[[rule.threat.technique.subtechnique]] +id = "T1205.001" +name = "Port Knocking" +reference = "https://attack.mitre.org/techniques/T1205/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" @@ -147,13 +157,12 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/ml/ml_low_count_events_for_a_host_name.toml b/rules/ml/ml_low_count_events_for_a_host_name.toml index d2128f0bf36..1e9be8d7329 100644 --- a/rules/ml/ml_low_count_events_for_a_host_name.toml +++ b/rules/ml/ml_low_count_events_for_a_host_name.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -95,25 +95,30 @@ Host-based traffic monitoring is crucial for identifying anomalies in network ac [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0040" -name = "Impact" -reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" [[rule.threat.technique]] id = "T1499" name = "Endpoint Denial of Service" reference = "https://attack.mitre.org/techniques/T1499/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 21d0d1aac74..dd5fc5ab525 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -121,11 +121,6 @@ Machine learning models analyze network traffic to identify atypical domain name [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" @@ -141,6 +136,11 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -152,11 +152,6 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" @@ -167,16 +162,30 @@ id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" [rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index 7c1f674b243..300ac8b85d1 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -118,11 +118,6 @@ Machine learning models analyze network logs to identify traffic to uncommon des [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat.technique]] id = "T1566" name = "Phishing" @@ -138,6 +133,11 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -149,11 +149,6 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" @@ -164,14 +159,14 @@ id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" @@ -182,3 +177,30 @@ id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.001" +name = "Malicious Link" +reference = "https://attack.mitre.org/techniques/T1204/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 9c9c130f549..97ff791d58d 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 75 @@ -118,52 +118,61 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" -[[rule.threat]] -framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" [rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0043" -name = "Reconnaissance" -reference = "https://attack.mitre.org/tactics/TA0043/" - [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" +[[rule.threat.technique.subtechnique]] +id = "T1595.001" +name = "Scanning IP Blocks" +reference = "https://attack.mitre.org/techniques/T1595/001/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 3df432d3263..0f4ce5e16ba 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/11/18" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -92,19 +92,24 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0011" -name = "Command and Control" -reference = "https://attack.mitre.org/tactics/TA0011/" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" @@ -121,26 +126,30 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" -[rule.threat.tactic] -id = "TA0010" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" - [[rule.threat.technique]] id = "T1041" name = "Exfiltration Over C2 Channel" reference = "https://attack.mitre.org/techniques/T1041/" +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index bea679b8ed2..9c3f5c00f2b 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/02/27" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -170,19 +170,36 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index f498ba198b9..e075e166adc 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -173,14 +173,41 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index de821662148..bf7341edc93 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -118,19 +118,36 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 8485f372dbb..45c5273ac12 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -119,8 +119,22 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.002" +name = "Domain Accounts" +reference = "https://attack.mitre.org/techniques/T1078/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index 8c04edd604d..e8d45581eff 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] anomaly_threshold = 50 @@ -123,19 +123,44 @@ Compilers transform source code into executable programs, a crucial step in soft - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.""" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1588" name = "Obtain Capabilities" reference = "https://attack.mitre.org/techniques/T1588/" + [[rule.threat.technique.subtechnique]] id = "T1588.001" name = "Malware" reference = "https://attack.mitre.org/techniques/T1588/001/" - - [rule.threat.tactic] id = "TA0042" name = "Resource Development" reference = "https://attack.mitre.org/tactics/TA0042/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/network/collection_fortigate_config_download.toml b/rules/network/collection_fortigate_config_download.toml index eaca75f0e0a..f64d546a663 100644 --- a/rules/network/collection_fortigate_config_download.toml +++ b/rules/network/collection_fortigate_config_download.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/01/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,18 +74,36 @@ any where event.dataset == "fortinet_fortigate.log" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1602" name = "Data from Configuration Repository" reference = "https://attack.mitre.org/techniques/T1602/" + [[rule.threat.technique.subtechnique]] id = "T1602.002" name = "Network Device Configuration Dump" reference = "https://attack.mitre.org/techniques/T1602/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml index e586f7519a8..9f96571874e 100644 --- a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml +++ b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw", "fortinet_fortigate", "sonicwall_firewall", "suricata"] maturity = "production" -updated_date = "2026/02/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,32 +104,43 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index c5d168d66d3..9e8db1efdd1 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,24 +82,28 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 3e98f2fdb7b..10408f201b2 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/05" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/04/22" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,23 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.001" name = "Web Protocols" reference = "https://attack.mitre.org/techniques/T1071/001/" - +[[rule.threat.technique]] +id = "T1573" +name = "Encrypted Channel" +reference = "https://attack.mitre.org/techniques/T1573/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 038ab832275..3a265f93e6b 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -43,24 +43,28 @@ destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destinati [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 1330bc27526..38b3cbc3b54 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,24 +80,28 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index e70052c7f23..e7177215bac 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,8 +75,22 @@ IPSEC NAT Traversal facilitates secure VPN communication across NAT devices by e [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[[rule.threat.technique]] +id = "T1572" +name = "Protocol Tunneling" +reference = "https://attack.mitre.org/techniques/T1572/" + +[[rule.threat.technique]] +id = "T1573" +name = "Encrypted Channel" +reference = "https://attack.mitre.org/techniques/T1573/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 2f266661300..9749d6d34aa 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,20 +75,35 @@ SMTP, typically operating on port 25, is crucial for email transmission. However [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.003" +name = "Mail Protocols" +reference = "https://attack.mitre.org/techniques/T1071/003/" + +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 1c67c535c25..1eb5e77188c 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,28 +117,39 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index bdb7850821e..0ba2b3d849c 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,26 +108,31 @@ VNC allows remote control of systems, facilitating maintenance and resource shar [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 99c927ca904..c139975d32f 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,14 +109,31 @@ VNC is a tool that allows remote control of computers, often used by administrat [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.005" +name = "VNC" +reference = "https://attack.mitre.org/techniques/T1021/005/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index 0659815cbd5..823d7a5bdf6 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/17" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2026/02/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,6 +81,11 @@ Network sweeps are reconnaissance techniques where attackers scan networks to id [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1018" +name = "Remote System Discovery" +reference = "https://attack.mitre.org/techniques/T1018/" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" @@ -108,7 +113,6 @@ reference = "https://attack.mitre.org/techniques/T1595/001/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" - [rule.threshold] field = ["source.ip"] value = 1 diff --git a/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml b/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml index 83e4f3cdfb2..d4441732d8b 100644 --- a/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml +++ b/rules/network/initial_access_fortigate_sso_login_from_unusual_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/01/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,19 +95,41 @@ FROM logs-fortinet_fortigate.* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1606" +name = "Forge Web Credentials" +reference = "https://attack.mitre.org/techniques/T1606/" + +[[rule.threat.technique.subtechnique]] +id = "T1606.002" +name = "SAML Tokens" +reference = "https://attack.mitre.org/techniques/T1606/002/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 492129f623e..1ee0865b265 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,14 +101,18 @@ RPC enables remote management and resource sharing, crucial for system administr [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1133" +name = "External Remote Services" +reference = "https://attack.mitre.org/techniques/T1133/" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index 2072a632c94..23d4284cac2 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,14 +100,31 @@ RPC enables remote management and resource sharing across networks, crucial for [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 3e4f65b7211..6660e0dc3aa 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/11" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,14 +79,26 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" diff --git a/rules/network/lateral_movement_dns_server_overflow.toml b/rules/network/lateral_movement_dns_server_overflow.toml index 38b0ec200b3..829273358eb 100644 --- a/rules/network/lateral_movement_dns_server_overflow.toml +++ b/rules/network/lateral_movement_dns_server_overflow.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,14 +79,31 @@ query = ''' [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1499" +name = "Endpoint Denial of Service" +reference = "https://attack.mitre.org/techniques/T1499/" + +[[rule.threat.technique.subtechnique]] +id = "T1499.004" +name = "Application or System Exploitation" +reference = "https://attack.mitre.org/techniques/T1499/004/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/network/persistence_fortigate_sso_login_followed_by_admin_creation.toml b/rules/network/persistence_fortigate_sso_login_followed_by_admin_creation.toml index 432f9d326c7..12e946d8171 100644 --- a/rules/network/persistence_fortigate_sso_login_followed_by_admin_creation.toml +++ b/rules/network/persistence_fortigate_sso_login_followed_by_admin_creation.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/28" integration = ["fortinet_fortigate"] maturity = "production" -updated_date = "2026/01/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,18 +79,31 @@ sequence by observer.name with maxspan=15m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index c74ed775d20..a39b6038b0d 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,20 +78,25 @@ Elastic Endgame is a security solution that monitors and detects exploit attempt [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 9882090ac4d..4d457df5da8 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,20 +80,25 @@ Elastic Endgame is a security solution designed to prevent exploits by monitorin [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index da56645fb6b..6368ebe68c5 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,14 +72,18 @@ Elastic Endgame is a security solution that monitors and detects unauthorized ac [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 9b43b081eca..e9b282cff18 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" maturity = "production" promotion = true -updated_date = "2025/03/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,14 +72,18 @@ Elastic Endgame is a security solution that prevents unauthorized access by moni [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 97ba3fb44a3..972be2ad55e 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,6 +102,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1005" name = "Data from Local System" @@ -111,32 +112,36 @@ reference = "https://attack.mitre.org/techniques/T1005/" id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + +[[rule.threat.technique.subtechnique]] +id = "T1114.001" +name = "Local Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/001/" + [[rule.threat.technique.subtechnique]] id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml index 90ae0bf3cf8..d64dc4b3d6e 100644 --- a/rules/windows/collection_mailbox_export_winlog.toml +++ b/rules/windows/collection_mailbox_export_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/11" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -120,15 +120,22 @@ powershell.file.script_block_text : "New-MailboxExportRequest" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1005" name = "Data from Local System" reference = "https://attack.mitre.org/techniques/T1005/" +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" + [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" @@ -139,13 +146,10 @@ id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 3f922888c59..3f57ec219d6 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -129,39 +129,52 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1123" name = "Audio Capture" reference = "https://attack.mitre.org/techniques/T1123/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1120" +name = "Peripheral Device Discovery" +reference = "https://attack.mitre.org/techniques/T1120/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index d2af75605fd..e546a3f7a86 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -135,38 +135,49 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 0c00e93c80e..cb304b5211b 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/12" +updated_date = "2026/03/24" [transform] [[transform.investigate]] @@ -339,33 +339,57 @@ network where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.002" +name = "External Proxy" +reference = "https://attack.mitre.org/techniques/T1090/002/" + [[rule.threat.technique]] id = "T1102" name = "Web Service" reference = "https://attack.mitre.org/techniques/T1102/" +[[rule.threat.technique.subtechnique]] +id = "T1102.001" +name = "Dead Drop Resolver" +reference = "https://attack.mitre.org/techniques/T1102/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1102.002" +name = "Bidirectional Communication" +reference = "https://attack.mitre.org/techniques/T1102/002/" + [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" + [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" -[[rule.threat.technique]] -id = "T1090" -name = "Proxy" -reference = "https://attack.mitre.org/techniques/T1090/" -[[rule.threat.technique.subtechnique]] -id = "T1090.002" -name = "External Proxy" -reference = "https://attack.mitre.org/techniques/T1090/002/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -373,6 +397,7 @@ framework = "MITRE ATT&CK" id = "T1567" name = "Exfiltration Over Web Service" reference = "https://attack.mitre.org/techniques/T1567/" + [[rule.threat.technique.subtechnique]] id = "T1567.001" name = "Exfiltration to Code Repository" @@ -383,10 +408,12 @@ id = "T1567.002" name = "Exfiltration to Cloud Storage" reference = "https://attack.mitre.org/techniques/T1567/002/" - +[[rule.threat.technique.subtechnique]] +id = "T1567.003" +name = "Exfiltration to Text Storage Sites" +reference = "https://attack.mitre.org/techniques/T1567/003/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/windows/command_and_control_dns_susp_tld.toml b/rules/windows/command_and_control_dns_susp_tld.toml index f4611ddfc9f..389874743d4 100644 --- a/rules/windows/command_and_control_dns_susp_tld.toml +++ b/rules/windows/command_and_control_dns_susp_tld.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,41 @@ dns.question.name regex """.*\.(top|buzz|xyz|rest|ml|cf|gq|ga|onion|monster|cyou [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.004" name = "DNS" reference = "https://attack.mitre.org/techniques/T1071/004/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index a9db0f9e470..f04720d6889 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,31 +89,59 @@ Internet Explorer can be manipulated via the Component Object Model (COM) to ini [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.004" +name = "DNS" +reference = "https://attack.mitre.org/techniques/T1071/004/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml b/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml index 8a0b48ac497..6effc3fefe1 100644 --- a/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml +++ b/rules/windows/command_and_control_multiple_rmm_vendors_same_host.toml @@ -9,7 +9,7 @@ integration = [ "crowdstrike", ] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -195,15 +195,22 @@ from logs-endpoint.events.process-*, endgame-*, logs-crowdstrike.fdr*, logs-m365 [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" + [[rule.threat.technique.subtechnique]] id = "T1219.002" name = "Remote Desktop Software" reference = "https://attack.mitre.org/techniques/T1219/002/" +[[rule.threat.technique.subtechnique]] +id = "T1219.003" +name = "Remote Access Hardware" +reference = "https://attack.mitre.org/techniques/T1219/003/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rmm.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rmm.toml index 04953eaf7da..6d26994f276 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rmm.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rmm.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/03/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -493,20 +493,31 @@ host.os.type: "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" + +[[rule.threat.technique.subtechnique]] +id = "T1219.001" +name = "IDE Tunneling" +reference = "https://attack.mitre.org/techniques/T1219/001/" + [[rule.threat.technique.subtechnique]] id = "T1219.002" name = "Remote Desktop Software" reference = "https://attack.mitre.org/techniques/T1219/002/" +[[rule.threat.technique.subtechnique]] +id = "T1219.003" +name = "Remote Access Hardware" +reference = "https://attack.mitre.org/techniques/T1219/003/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/windows/command_and_control_outlook_home_page.toml b/rules/windows/command_and_control_outlook_home_page.toml index e584f93e7a1..c4997d4fbd7 100644 --- a/rules/windows/command_and_control_outlook_home_page.toml +++ b/rules/windows/command_and_control_outlook_home_page.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,21 +97,26 @@ framework = "MITRE ATT&CK" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" + [[rule.threat.technique.subtechnique]] id = "T1137.004" name = "Outlook Home Page" reference = "https://attack.mitre.org/techniques/T1137/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 0e73d7b7ab7..51b0f50b658 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,26 +95,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.001" +name = "Internal Proxy" +reference = "https://attack.mitre.org/techniques/T1090/001/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 14e373d6b5f..b3e6cdf4098 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,31 +91,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" reference = "https://attack.mitre.org/techniques/T1572/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + [[rule.threat.technique.subtechnique]] id = "T1021.004" name = "SSH" reference = "https://attack.mitre.org/techniques/T1021/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/command_and_control_remcos_rat_iocs.toml b/rules/windows/command_and_control_remcos_rat_iocs.toml index e7563a52d20..9b9784c5f2c 100644 --- a/rules/windows/command_and_control_remcos_rat_iocs.toml +++ b/rules/windows/command_and_control_remcos_rat_iocs.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"] maturity = "production" -updated_date = "2025/08/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,14 +91,49 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.001" +name = "Registry Run Keys / Startup Folder" +reference = "https://attack.mitre.org/techniques/T1547/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 9042a919ec0..ff5739466cc 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -123,31 +123,36 @@ sequence by host.id, process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 8ae791c89f0..f7d5966fa87 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/27" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,14 +107,107 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/command_and_control_tool_transfer_via_curl.toml b/rules/windows/command_and_control_tool_transfer_via_curl.toml index 760413874e8..e7ad0618aec 100644 --- a/rules/windows/command_and_control_tool_transfer_via_curl.toml +++ b/rules/windows/command_and_control_tool_transfer_via_curl.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/03" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,14 +108,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/windows/command_and_control_tunnel_cloudflared.toml b/rules/windows/command_and_control_tunnel_cloudflared.toml index 520433f13b9..eb025de67fa 100644 --- a/rules/windows/command_and_control_tunnel_cloudflared.toml +++ b/rules/windows/command_and_control_tunnel_cloudflared.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,6 +80,17 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + +[[rule.threat.technique.subtechnique]] +id = "T1090.002" +name = "External Proxy" +reference = "https://attack.mitre.org/techniques/T1090/002/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" diff --git a/rules/windows/command_and_control_tunnel_yuze.toml b/rules/windows/command_and_control_tunnel_yuze.toml index a3a6314cc2e..cd38623397a 100644 --- a/rules/windows/command_and_control_tunnel_yuze.toml +++ b/rules/windows/command_and_control_tunnel_yuze.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,6 +86,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1090" +name = "Proxy" +reference = "https://attack.mitre.org/techniques/T1090/" + [[rule.threat.technique]] id = "T1572" name = "Protocol Tunneling" @@ -95,3 +101,21 @@ reference = "https://attack.mitre.org/techniques/T1572/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/command_and_control_velociraptor_shell_execution.toml b/rules/windows/command_and_control_velociraptor_shell_execution.toml index e3a239e9797..8801cffc6d1 100644 --- a/rules/windows/command_and_control_velociraptor_shell_execution.toml +++ b/rules/windows/command_and_control_velociraptor_shell_execution.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,10 +90,12 @@ process where host.os.type == "windows" and event.type == "start" and process.co [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1219" name = "Remote Access Tools" reference = "https://attack.mitre.org/techniques/T1219/" + [[rule.threat.technique.subtechnique]] id = "T1219.002" name = "Remote Desktop Software" @@ -104,3 +106,43 @@ id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/credential_access_browsers_unusual_parent.toml b/rules/windows/credential_access_browsers_unusual_parent.toml index 7ba940e2c6d..b02f7744825 100644 --- a/rules/windows/credential_access_browsers_unusual_parent.toml +++ b/rules/windows/credential_access_browsers_unusual_parent.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/27" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/27" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,10 +108,17 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" + [[rule.threat.technique.subtechnique]] id = "T1555.003" name = "Credentials from Web Browsers" @@ -122,4 +129,15 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1185" +name = "Browser Session Hijacking" +reference = "https://attack.mitre.org/techniques/T1185/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/credential_access_dcsync_user_backdoor.toml b/rules/windows/credential_access_dcsync_user_backdoor.toml index e220648179d..4c78e191a4a 100644 --- a/rules/windows/credential_access_dcsync_user_backdoor.toml +++ b/rules/windows/credential_access_dcsync_user_backdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/10" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,19 +106,31 @@ event.code:"5136" and host.os.type:"windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.006" name = "DCSync" reference = "https://attack.mitre.org/techniques/T1003/006/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index f69365d6a48..f71fe2879f1 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,48 +91,62 @@ any where host.os.type == "windows" and event.code == "4738" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.004" name = "AS-REP Roasting" reference = "https://attack.mitre.org/techniques/T1558/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_dnsnode_creation.toml b/rules/windows/credential_access_dnsnode_creation.toml index 4dd21727dec..4f3271ced6e 100644 --- a/rules/windows/credential_access_dnsnode_creation.toml +++ b/rules/windows/credential_access_dnsnode_creation.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,14 +104,18 @@ any where host.os.type == "windows" and event.code == "5137" and winlog.event_da [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" +[[rule.threat.technique.subtechnique]] +id = "T1557.001" +name = "LLMNR/NBT-NS Poisoning and SMB Relay" +reference = "https://attack.mitre.org/techniques/T1557/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_dollar_account_relay_kerberos.toml b/rules/windows/credential_access_dollar_account_relay_kerberos.toml index 0a76152c2fc..0566e9d8819 100644 --- a/rules/windows/credential_access_dollar_account_relay_kerberos.toml +++ b/rules/windows/credential_access_dollar_account_relay_kerberos.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/18" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,6 +106,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" @@ -115,15 +116,26 @@ reference = "https://attack.mitre.org/techniques/T1187/" id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [[rule.threat.technique.subtechnique]] id = "T1557.001" name = "LLMNR/NBT-NS Poisoning and SMB Relay" reference = "https://attack.mitre.org/techniques/T1557/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 25f74db6270..1b26420a8b4 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -57,24 +57,33 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.004" +name = "LSA Secrets" +reference = "https://attack.mitre.org/techniques/T1003/004/" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index ad8287b9688..025d8529f50 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,14 +95,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml index cba25263080..24bfc0ac87f 100644 --- a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml +++ b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Matteo Potito Giorgio"] @@ -99,14 +99,31 @@ not (?dll.code_signature.trusted == true or file.code_signature.status == "Valid [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 7f3932dcef5..7a30322d950 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -168,14 +168,31 @@ network where host.os.type == "windows" and event.type == "start" and network.di [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.003" +name = "Pass the Ticket" +reference = "https://attack.mitre.org/techniques/T1550/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/credential_access_kerberos_coerce.toml b/rules/windows/credential_access_kerberos_coerce.toml index 0ddf57939c2..8c9692a2d05 100644 --- a/rules/windows/credential_access_kerberos_coerce.toml +++ b/rules/windows/credential_access_kerberos_coerce.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/14" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,24 +103,23 @@ host.os.type:"windows" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1187" +name = "Forced Authentication" +reference = "https://attack.mitre.org/techniques/T1187/" + [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [[rule.threat.technique.subtechnique]] id = "T1557.001" name = "LLMNR/NBT-NS Poisoning and SMB Relay" reference = "https://attack.mitre.org/techniques/T1557/001/" - -[[rule.threat.technique]] -id = "T1187" -name = "Forced Authentication" -reference = "https://attack.mitre.org/techniques/T1187/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_kerberos_coerce_dns.toml b/rules/windows/credential_access_kerberos_coerce_dns.toml index 0269e12bbd3..e9750ecd5e8 100644 --- a/rules/windows/credential_access_kerberos_coerce_dns.toml +++ b/rules/windows/credential_access_kerberos_coerce_dns.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/14" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/06/14" +updated_date = "2026/03/24" [transform] [[transform.investigate]] @@ -95,24 +95,23 @@ network where host.os.type == "windows" and dns.question.name : "*UWhRC*BAAAA*" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1187" +name = "Forced Authentication" +reference = "https://attack.mitre.org/techniques/T1187/" + [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [[rule.threat.technique.subtechnique]] id = "T1557.001" name = "LLMNR/NBT-NS Poisoning and SMB Relay" reference = "https://attack.mitre.org/techniques/T1557/001/" - -[[rule.threat.technique]] -id = "T1187" -name = "Forced Authentication" -reference = "https://attack.mitre.org/techniques/T1187/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index 9cb9ff680a5..d076bed63ce 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,7 @@ any where host.os.type == "windows" and event.code == "4662" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" @@ -127,32 +128,49 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - +[[rule.threat.technique]] +id = "T1649" +name = "Steal or Forge Authentication Certificates" +reference = "https://attack.mitre.org/techniques/T1649/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index cb444a5b057..4f25fe6c2d1 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,19 +142,36 @@ The Local Security Authority Subsystem Service (LSASS) is crucial for managing s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.005" +name = "Security Support Provider" +reference = "https://attack.mitre.org/techniques/T1547/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_machine_account_smb_relay.toml b/rules/windows/credential_access_machine_account_smb_relay.toml index 74eb4c912b9..4fddce0cab7 100644 --- a/rules/windows/credential_access_machine_account_smb_relay.toml +++ b/rules/windows/credential_access_machine_account_smb_relay.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,6 +82,7 @@ file where host.os.type == "windows" and event.code == "5145" and endswith(user. [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" @@ -91,15 +92,31 @@ reference = "https://attack.mitre.org/techniques/T1187/" id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" + [[rule.threat.technique.subtechnique]] id = "T1557.001" name = "LLMNR/NBT-NS Poisoning and SMB Relay" reference = "https://attack.mitre.org/techniques/T1557/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index cbc58475eaa..8b7aa352cb7 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,14 +96,36 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.005" +name = "Security Support Provider" +reference = "https://attack.mitre.org/techniques/T1547/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 19d4c6879de..6366fd23398 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,22 +135,44 @@ powershell.file.script_block_text:( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - +[[rule.threat.technique]] +id = "T1649" +name = "Steal or Forge Authentication Certificates" +reference = "https://attack.mitre.org/techniques/T1649/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index d54be2d33fe..03fe548545a 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,31 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 7dc0c02f2da..9c4ed0a37f3 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,36 +83,49 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" reference = "https://attack.mitre.org/techniques/T1003/002/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 3f82b5ebbed..a66e6cacb47 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/18" integration = ["endpoint", "m365_defender", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -151,26 +151,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" +[[rule.threat.technique.subtechnique]] +id = "T1556.008" +name = "Network Provider DLL" +reference = "https://attack.mitre.org/techniques/T1556/008/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/credential_access_posh_invoke_ninjacopy.toml b/rules/windows/credential_access_posh_invoke_ninjacopy.toml index 756fcb25eba..0713a1dcfe4 100644 --- a/rules/windows/credential_access_posh_invoke_ninjacopy.toml +++ b/rules/windows/credential_access_posh_invoke_ninjacopy.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,10 +142,12 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -156,43 +158,51 @@ id = "T1003.003" name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.004" +name = "LSA Secrets" +reference = "https://attack.mitre.org/techniques/T1003/004/" +[[rule.threat.technique.subtechnique]] +id = "T1003.005" +name = "Cached Domain Credentials" +reference = "https://attack.mitre.org/techniques/T1003/005/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1006" name = "Direct Volume Access" reference = "https://attack.mitre.org/techniques/T1006/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_kerb_ticket_dump.toml b/rules/windows/credential_access_posh_kerb_ticket_dump.toml index 8039fe58cfc..2050fa06d2e 100644 --- a/rules/windows/credential_access_posh_kerb_ticket_dump.toml +++ b/rules/windows/credential_access_posh_kerb_ticket_dump.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -126,40 +126,49 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - +[[rule.threat.technique]] +id = "T1106" +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_relay_tools.toml b/rules/windows/credential_access_posh_relay_tools.toml index 87be03b98ba..22fae39b3d0 100644 --- a/rules/windows/credential_access_posh_relay_tools.toml +++ b/rules/windows/credential_access_posh_relay_tools.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/27" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,52 +125,57 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" +[[rule.threat.technique.subtechnique]] +id = "T1557.001" +name = "LLMNR/NBT-NS Poisoning and SMB Relay" +reference = "https://attack.mitre.org/techniques/T1557/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.002" name = "Pass the Hash" reference = "https://attack.mitre.org/techniques/T1550/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_posh_veeam_sql.toml b/rules/windows/credential_access_posh_veeam_sql.toml index fa457a50f0f..320d82c2d40 100644 --- a/rules/windows/credential_access_posh_veeam_sql.toml +++ b/rules/windows/credential_access_posh_veeam_sql.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -140,6 +140,7 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" @@ -150,30 +151,41 @@ id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/credential_access_rare_webdav_destination.toml b/rules/windows/credential_access_rare_webdav_destination.toml index 89cddbac06b..41ab73ef4d4 100644 --- a/rules/windows/credential_access_rare_webdav_destination.toml +++ b/rules/windows/credential_access_rare_webdav_destination.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/28" integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/01/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,14 +87,31 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-sys [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1187" name = "Forced Authentication" reference = "https://attack.mitre.org/techniques/T1187/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_regback_sam_security_hives.toml b/rules/windows/credential_access_regback_sam_security_hives.toml index 45500f46a21..711ea036359 100644 --- a/rules/windows/credential_access_regback_sam_security_hives.toml +++ b/rules/windows/credential_access_regback_sam_security_hives.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,10 +79,12 @@ file where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -93,7 +95,10 @@ id = "T1003.004" name = "LSA Secrets" reference = "https://attack.mitre.org/techniques/T1003/004/" - +[[rule.threat.technique.subtechnique]] +id = "T1003.005" +name = "Cached Domain Credentials" +reference = "https://attack.mitre.org/techniques/T1003/005/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index bb46707c121..0f9a4002862 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,31 +100,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1187" +name = "Forced Authentication" +reference = "https://attack.mitre.org/techniques/T1187/" + [[rule.threat.technique]] id = "T1212" name = "Exploitation for Credential Access" reference = "https://attack.mitre.org/techniques/T1212/" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index f2acb0609bf..a3571a46176 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/26" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -107,14 +107,26 @@ event.code:"5136" and host.os.type:"windows" and winlog.event_data.AttributeLDAP [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index f7b5e02f1bd..676de53b1b4 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/22" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,19 +106,31 @@ event.code:5136 and host.os.type:"windows" and winlog.event_data.OperationType:" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.003" name = "Kerberoasting" reference = "https://attack.mitre.org/techniques/T1558/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index a1e9768b415..dc5054e536e 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/17" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -137,36 +137,46 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.001" name = "LSASS Memory" reference = "https://attack.mitre.org/techniques/T1003/001/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename Legitimate Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index e63eabdab29..5fb6a32c581 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,10 +108,12 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -122,22 +124,25 @@ id = "T1003.004" name = "LSA Secrets" reference = "https://attack.mitre.org/techniques/T1003/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index a019bfa0a69..b8650e2ef45 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -124,10 +124,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" + [[rule.threat.technique.subtechnique]] id = "T1003.002" name = "Security Account Manager" @@ -138,10 +140,20 @@ id = "T1003.003" name = "NTDS" reference = "https://attack.mitre.org/techniques/T1003/003/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/credential_access_veeam_commands.toml b/rules/windows/credential_access_veeam_commands.toml index 26d95dd353c..2895e6e80bd 100644 --- a/rules/windows/credential_access_veeam_commands.toml +++ b/rules/windows/credential_access_veeam_commands.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/14" integration = ["windows", "endpoint", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,6 +94,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" @@ -104,26 +105,38 @@ id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/credential_access_web_config_file_access.toml b/rules/windows/credential_access_web_config_file_access.toml index e8bd3d77a6c..e3ea0ffc993 100644 --- a/rules/windows/credential_access_web_config_file_access.toml +++ b/rules/windows/credential_access_web_config_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/07/23" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,18 +79,39 @@ event.category:file and host.os.type:windows and event.action:open and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable", "user.id"] diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index fb71341678b..7c94a74678b 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "system", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -123,31 +123,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + [[rule.threat.technique]] id = "T1555" name = "Credentials from Password Stores" reference = "https://attack.mitre.org/techniques/T1555/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index f239ebb7b8f..61813c4a8b0 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -132,39 +132,49 @@ event.category:"process" and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index c2f04f5a873..50a42f7e78f 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,24 +98,28 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.001" name = "Clear Windows Event Logs" reference = "https://attack.mitre.org/techniques/T1070/001/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml index bbf8c289d02..aa828899622 100644 --- a/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml +++ b/rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/04" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -237,10 +237,12 @@ Communication apps like Slack, WebEx, and Teams are integral to modern workflows [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -251,27 +253,38 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 3560277bb09..514692fc051 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -2,7 +2,7 @@ creation_date = "2021/02/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -154,19 +154,31 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1553" name = "Subvert Trust Controls" reference = "https://attack.mitre.org/techniques/T1553/" + [[rule.threat.technique.subtechnique]] id = "T1553.004" name = "Install Root Certificate" reference = "https://attack.mitre.org/techniques/T1553/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/defense_evasion_disable_nla.toml b/rules/windows/defense_evasion_disable_nla.toml index a3daa0e4c83..e808563bae7 100644 --- a/rules/windows/defense_evasion_disable_nla.toml +++ b/rules/windows/defense_evasion_disable_nla.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/25" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,6 +92,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and regi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -102,9 +103,30 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.010" +name = "Downgrade Attack" +reference = "https://attack.mitre.org/techniques/T1562/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index e6b5d148708..8efcca4ce4a 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,36 +90,76 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index e9ad302d9ee..0ac8e7710fa 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,19 +91,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.004" name = "Disable or Modify System Firewall" reference = "https://attack.mitre.org/techniques/T1562/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.001" +name = "Remote Desktop Protocol" +reference = "https://attack.mitre.org/techniques/T1021/001/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 2cc57b1fcb1..23c029f86a1 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -138,14 +138,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 93810f62173..c5fd16c25f2 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,26 +119,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 078583b84ea..d9184a4ec77 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,27 +87,40 @@ host.os.type:windows and event.category:process and event.type:start and ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -123,13 +136,15 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index c2e91fd6574..08c29c23cbe 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,26 +91,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index ba363f8f52b..83083001b86 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,32 +88,49 @@ process.name:("csc.exe" or "iexplore.exe" or "powershell.exe") [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.004" name = "Compile After Delivery" reference = "https://attack.mitre.org/techniques/T1027/004/" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["host.id"] diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index e1eaae3f8de..4bc03f720d4 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/07" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Dennis Perto"] @@ -106,19 +106,33 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename Legitimate Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 628a39d0949..2adf52c0ccd 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/25" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,6 +85,17 @@ registry where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.013" +name = "Encrypted/Encoded File" +reference = "https://attack.mitre.org/techniques/T1027/013/" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -95,9 +106,7 @@ id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 1f7de5422de..a8bf93c30d9 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,19 +89,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + [[rule.threat.technique.subtechnique]] id = "T1562.002" name = "Disable Windows Event Logging" reference = "https://attack.mitre.org/techniques/T1562/002/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_indirect_exec_conhost.toml b/rules/windows/defense_evasion_indirect_exec_conhost.toml index 12330d28d1f..c429f557982 100644 --- a/rules/windows/defense_evasion_indirect_exec_conhost.toml +++ b/rules/windows/defense_evasion_indirect_exec_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,14 +80,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_indirect_exec_openssh.toml b/rules/windows/defense_evasion_indirect_exec_openssh.toml index 0e3563ddef1..886d3bde22c 100644 --- a/rules/windows/defense_evasion_indirect_exec_openssh.toml +++ b/rules/windows/defense_evasion_indirect_exec_openssh.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,14 +80,18 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml index bc19ee7efbd..760a67eeb77 100644 --- a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml +++ b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,14 +95,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml b/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml index 6f434c174de..666ad8bda1e 100644 --- a/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml +++ b/rules/windows/defense_evasion_lsass_ppl_disabled_registry.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/27" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,6 +92,7 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -101,14 +102,31 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 47bf071a3c6..00ea4e6edd4 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/07/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,19 +111,28 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique.subtechnique]] +id = "T1055.012" +name = "Process Hollowing" +reference = "https://attack.mitre.org/techniques/T1055/012/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 182bab1599a..749e89527bc 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -128,19 +128,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.003" name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.010" +name = "AutoHotKey & AutoIT" +reference = "https://attack.mitre.org/techniques/T1059/010/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 2b7315a7978..7e8e3addb77 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Austin Songer"] @@ -140,6 +140,7 @@ registry where host.os.type == "windows" and event.type == "change" and process. [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -150,9 +151,12 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 5f9e895759c..0a7daa1afcf 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -146,19 +146,31 @@ sequence by process.entity_id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/defense_evasion_mshta_susp_child.toml b/rules/windows/defense_evasion_mshta_susp_child.toml index 2d5a06f7b7f..bbf270aa628 100644 --- a/rules/windows/defense_evasion_mshta_susp_child.toml +++ b/rules/windows/defense_evasion_mshta_susp_child.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,19 +93,51 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_msiexec_remote_payload.toml b/rules/windows/defense_evasion_msiexec_remote_payload.toml index ba656ec2c14..7d424238572 100644 --- a/rules/windows/defense_evasion_msiexec_remote_payload.toml +++ b/rules/windows/defense_evasion_msiexec_remote_payload.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,19 +92,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.007" name = "Msiexec" reference = "https://attack.mitre.org/techniques/T1218/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index b4eaa6909a3..04e635393b9 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,14 +85,26 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" reference = "https://attack.mitre.org/techniques/T1220/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 1d239873113..8bd8d22974b 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -166,34 +166,73 @@ sequence by process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" +[[rule.threat.technique.subtechnique]] +id = "T1127.002" +name = "ClickOnce" +reference = "https://attack.mitre.org/techniques/T1127/002/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.002" +name = "Control Panel" +reference = "https://attack.mitre.org/techniques/T1218/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index 7e8558da51c..bf0b6c60dc4 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/01" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -109,36 +109,46 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.002" name = "Pass the Hash" reference = "https://attack.mitre.org/techniques/T1550/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index b21cc5070cd..4b9f5f88ab7 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -148,10 +148,12 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.001" name = "Dynamic-link Library Injection" @@ -162,35 +164,38 @@ id = "T1055.002" name = "Portable Executable Injection" reference = "https://attack.mitre.org/techniques/T1055/002/" +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" [[rule.threat.technique]] id = "T1620" name = "Reflective Code Loading" reference = "https://attack.mitre.org/techniques/T1620/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 1af9d0caffa..c012fa70ca4 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -149,39 +149,44 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.015" +name = "Compression" +reference = "https://attack.mitre.org/techniques/T1027/015/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index c5e38dabe16..9119cddd78b 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/23" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -140,22 +140,39 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.013" +name = "Encrypted/Encoded File" +reference = "https://attack.mitre.org/techniques/T1027/013/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_high_entropy.toml b/rules/windows/defense_evasion_posh_high_entropy.toml index 4519eaa5024..1c33761d18a 100644 --- a/rules/windows/defense_evasion_posh_high_entropy.toml +++ b/rules/windows/defense_evasion_posh_high_entropy.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/08" integration = ["windows"] maturity = "production" -updated_date = "2026/01/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,40 +142,44 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation.toml b/rules/windows/defense_evasion_posh_obfuscation.toml index 3f18767f36a..ad0f576c648 100644 --- a/rules/windows/defense_evasion_posh_obfuscation.toml +++ b/rules/windows/defense_evasion_posh_obfuscation.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/03" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -122,36 +122,41 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml index 98b2aa03bc7..593600d7510 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -167,39 +167,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml index 8f1bd286cb1..5b4f541efd4 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -151,39 +151,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml index c138be71ed7..c13cd36baa5 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,39 +134,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml index 4b1409da8c8..3d73602c1e0 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/15" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -161,39 +161,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml index 9f3f14ce734..b9785e0c3fd 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -147,39 +147,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml index 68743a18154..1a012eb642f 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -149,39 +149,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml index 7ee84b163a3..fd336eafceb 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -163,39 +163,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml index f876139f3e3..13a9aad74ba 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -144,39 +144,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml index c8686112bee..665b435f5a8 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,39 +153,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml index ef57939e469..2dbcf2f1a43 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -152,39 +152,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml index c92ccaac12b..43d8fd31d03 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/03" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -174,39 +174,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml index eea41de377c..b681c674f4d 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -167,39 +167,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 26f4689951f..5d9f0f7e6d4 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/14" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -139,10 +139,12 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.001" name = "Dynamic-link Library Injection" @@ -153,35 +155,38 @@ id = "T1055.002" name = "Portable Executable Injection" reference = "https://attack.mitre.org/techniques/T1055/002/" - +[[rule.threat.technique.subtechnique]] +id = "T1055.004" +name = "Asynchronous Procedure Call" +reference = "https://attack.mitre.org/techniques/T1055/004/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index 0bb678f64c1..f388d537933 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/31" integration = ["endpoint", "windows", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,14 +110,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename Legitimate Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml index d3516cd5119..74bb37e8196 100644 --- a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/31" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/10/07" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,31 +94,36 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1557" name = "Adversary-in-the-Middle" reference = "https://attack.mitre.org/techniques/T1557/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/defense_evasion_regmod_remotemonologue.toml b/rules/windows/defense_evasion_regmod_remotemonologue.toml index 7aba4b1f611..8bf18cae23b 100644 --- a/rules/windows/defense_evasion_regmod_remotemonologue.toml +++ b/rules/windows/defense_evasion_regmod_remotemonologue.toml @@ -2,7 +2,7 @@ creation_date = "2025/04/14" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/09/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,6 +118,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -128,9 +129,25 @@ id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + +[[rule.threat.technique.subtechnique]] +id = "T1546.015" +name = "Component Object Model Hijacking" +reference = "https://attack.mitre.org/techniques/T1546/015/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/defense_evasion_sccm_scnotification_dll.toml b/rules/windows/defense_evasion_sccm_scnotification_dll.toml index 2e9bde60d3e..9091ea5c386 100644 --- a/rules/windows/defense_evasion_sccm_scnotification_dll.toml +++ b/rules/windows/defense_evasion_sccm_scnotification_dll.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,14 +74,18 @@ CcmExec, part of Microsoft's System Center Configuration Manager, manages client [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_script_via_html_app.toml b/rules/windows/defense_evasion_script_via_html_app.toml index 79779d38a9d..b170725e2ac 100644 --- a/rules/windows/defense_evasion_script_via_html_app.toml +++ b/rules/windows/defense_evasion_script_via_html_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/09" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [rule] @@ -121,10 +121,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" @@ -135,10 +137,30 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 18215c26fe3..c4916cbff20 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,6 +99,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -108,32 +109,44 @@ reference = "https://attack.mitre.org/techniques/T1112/" id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1489" +name = "Service Stop" +reference = "https://attack.mitre.org/techniques/T1489/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index d31877d1658..9698c3f6a7a 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -140,14 +140,44 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.004" +name = "Private Keys" +reference = "https://attack.mitre.org/techniques/T1552/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index cf9205c5fcc..9a072d913eb 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,15 +86,32 @@ process where host.os.type == "windows" and event.type == "start" and process.ex [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" @@ -105,18 +122,24 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -127,10 +150,17 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.003" +name = "Malicious Image" +reference = "https://attack.mitre.org/techniques/T1204/003/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 30a19f5a7ff..601825fa93b 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,14 +95,46 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index d6f9837abe0..82c550c5890 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/24" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,18 @@ sequence by host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" +[[rule.threat.technique.subtechnique]] +id = "T1055.012" +name = "Process Hollowing" +reference = "https://attack.mitre.org/techniques/T1055/012/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 8b30df05e2c..e931dae2d5f 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,19 +94,31 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" reference = "https://attack.mitre.org/techniques/T1218/010/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 45706563ed1..3e0c53a79a2 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,26 +83,31 @@ sequence by process.entity_id with maxspan = 2m [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" reference = "https://attack.mitre.org/techniques/T1220/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 2b461a36b16..611a28342ca 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -131,6 +131,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" @@ -141,21 +142,35 @@ id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 5c5acb3734e..2126ccfcd1d 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -136,26 +136,39 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1211" name = "Exploitation for Defense Evasion" reference = "https://attack.mitre.org/techniques/T1211/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml index c9a0df30ca0..9746c1f2d3b 100644 --- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml +++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/04" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -119,19 +119,28 @@ driver where host.os.type == "windows" and process.pid == 4 and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.006" +name = "Code Signing Policy Modification" +reference = "https://attack.mitre.org/techniques/T1553/006/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index ef3d4c6c627..51aaa7fc900 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/28" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,14 +88,26 @@ sequence by host.id, process.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 8dd19e5c315..4b7683de54e 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,14 +95,38 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique.subtechnique]] +id = "T1127.002" +name = "ClickOnce" +reference = "https://attack.mitre.org/techniques/T1127/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1127.003" +name = "JamPlus" +reference = "https://attack.mitre.org/techniques/T1127/003/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml index 236dce5f9bd..2d1d79edb6c 100644 --- a/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml +++ b/rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,14 +91,18 @@ file where host.os.type == "windows" and event.action != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_windows_filtering_platform.toml b/rules/windows/defense_evasion_windows_filtering_platform.toml index 2b3015a7db9..2bf6e1fcd18 100644 --- a/rules/windows/defense_evasion_windows_filtering_platform.toml +++ b/rules/windows/defense_evasion_windows_filtering_platform.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -136,19 +136,23 @@ sequence by winlog.computer_name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + [[rule.threat.technique.subtechnique]] id = "T1562.004" name = "Disable or Modify System Firewall" reference = "https://attack.mitre.org/techniques/T1562/004/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index dd3fab8da24..61fdcc336fe 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -2,7 +2,7 @@ creation_date = "2022/03/02" integration = ["windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -95,14 +95,33 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.008" +name = "Path Interception by Search Order Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/008/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index f0dae674a7e..42ba25c6386 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,31 +103,49 @@ process where host.os.type == "windows" and event.type : "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.008" +name = "/etc/passwd and /etc/shadow" +reference = "https://attack.mitre.org/techniques/T1003/008/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index 54afa15164c..96f71cd4e3f 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -119,14 +119,31 @@ process where host.os.type == "windows" and event.type : "start" and process.com [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index 3fbc2682614..9d48751dc63 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,14 +91,18 @@ process where host.os.type == "windows" and event.type : "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index 6ec6a72e996..44f6745bb9c 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,14 +88,31 @@ sequence by process.entity_id with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 1d34d559fbf..d8753675b61 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,14 +100,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index ca02fcc756a..2e219f30e67 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,6 +90,7 @@ registry where host.os.type == "windows" and event.type == "change" and registry [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" @@ -100,9 +101,25 @@ id = "T1202" name = "Indirect Command Execution" reference = "https://attack.mitre.org/techniques/T1202/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/discovery_active_directory_webservice.toml b/rules/windows/discovery_active_directory_webservice.toml index 56600c5238b..9d12b1b6952 100644 --- a/rules/windows/discovery_active_directory_webservice.toml +++ b/rules/windows/discovery_active_directory_webservice.toml @@ -2,7 +2,7 @@ creation_date = "2024/01/31" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,14 +83,33 @@ Active Directory Web Service (ADWS) facilitates querying Active Directory (AD) o [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 03d5ecdf531..bee03e2901a 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/05/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,31 +96,36 @@ not (process.parent.name : "cmd.exe" and process.working_directory : "C:\\Progra [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.003" name = "Local Accounts" reference = "https://attack.mitre.org/techniques/T1078/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/discovery_high_number_ad_properties.toml b/rules/windows/discovery_high_number_ad_properties.toml index ba1b6f16be2..53ce1bbbceb 100644 --- a/rules/windows/discovery_high_number_ad_properties.toml +++ b/rules/windows/discovery_high_number_ad_properties.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/29" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,14 +85,33 @@ any where host.os.type == "windows" and event.code == "4662" and not winlog.even [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" + +[[rule.threat.technique]] +id = "T1482" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_host_public_ip_address_lookup.toml b/rules/windows/discovery_host_public_ip_address_lookup.toml index 70ce393aac1..3382a113142 100644 --- a/rules/windows/discovery_host_public_ip_address_lookup.toml +++ b/rules/windows/discovery_host_public_ip_address_lookup.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -131,30 +131,35 @@ network where host.os.type == "windows" and dns.question.name != null and proces [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" +[[rule.threat.technique.subtechnique]] +id = "T1016.001" +name = "Internet Connection Discovery" +reference = "https://attack.mitre.org/techniques/T1016/001/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique.subtechnique]] id = "T1071.004" name = "DNS" reference = "https://attack.mitre.org/techniques/T1071/004/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 4fa1272e100..01b324a4b1d 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -165,76 +165,107 @@ case_insensitive = true value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" reference = "https://attack.mitre.org/techniques/T1069/001/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" +[[rule.threat.technique.subtechnique]] +id = "T1087.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1087/002/" [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" +[[rule.threat.technique]] +id = "T1201" +name = "Password Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1201/" + [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 0c166da5fd0..80a9d2adbd9 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,14 +117,18 @@ process where host.os.type == "windows" and event.type == "start" and process.na [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1033" name = "System Owner/User Discovery" reference = "https://attack.mitre.org/techniques/T1033/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index c7deeed356b..93381464838 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,19 +105,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 764af8ffaf6..9f5a04ad732 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -134,29 +134,39 @@ sequence by process.entity_id with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 6424adbe5c9..46e6569f805 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/01/29" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -132,17 +132,26 @@ not process.args:(".\inetsrv\iissetup.exe /keygen " or "C:\Program" or "C:\Progr [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.new_terms] field = "new_terms_fields" value = ["process.command_line"] diff --git a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml index c728a7ba058..edc62287465 100644 --- a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml +++ b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/11/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -103,28 +103,50 @@ sequence by process.parent.entity_id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + [[rule.threat.technique]] id = "T1216" name = "System Script Proxy Execution" @@ -134,6 +156,7 @@ reference = "https://attack.mitre.org/techniques/T1216/" id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.003" name = "CMSTP" @@ -164,7 +187,6 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" @@ -174,15 +196,13 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "T1497" name = "Virtualization/Sandbox Evasion" reference = "https://attack.mitre.org/techniques/T1497/" + [[rule.threat.technique.subtechnique]] id = "T1497.003" name = "Time Based Checks" reference = "https://attack.mitre.org/techniques/T1497/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index 1e01769894a..27e5073ecae 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/06/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,22 +72,30 @@ URL shortcut files, typically used for quick access to web resources, can be exp [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -98,10 +106,7 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 15f89225424..5b7c76345e6 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,38 +99,65 @@ process where host.os.type == "windows" and event.type == "start" and process.co [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1007" +name = "System Service Discovery" +reference = "https://attack.mitre.org/techniques/T1007/" + +[[rule.threat.technique]] +id = "T1012" +name = "Query Registry" +reference = "https://attack.mitre.org/techniques/T1012/" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] id = "T1016.001" name = "Internet Connection Discovery" reference = "https://attack.mitre.org/techniques/T1016/001/" - [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + [[rule.threat.technique]] id = "T1087" name = "Account Discovery" @@ -141,9 +168,12 @@ id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" +[[rule.threat.technique]] +id = "T1615" +name = "Group Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1615/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 2b11f8ec924..51e7dee4439 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -236,36 +236,76 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 62b894c0d72..98d60148ce0 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -140,36 +140,49 @@ sequence by process.entity_id [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.001" name = "Compiled HTML File" reference = "https://attack.mitre.org/techniques/T1218/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/execution_initial_access_foxmail_exploit.toml b/rules/windows/execution_initial_access_foxmail_exploit.toml index 1724e0f677c..084cd4eff65 100644 --- a/rules/windows/execution_initial_access_foxmail_exploit.toml +++ b/rules/windows/execution_initial_access_foxmail_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,26 +90,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1189" name = "Drive-by Compromise" reference = "https://attack.mitre.org/techniques/T1189/" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_initial_access_via_msc_file.toml b/rules/windows/execution_initial_access_via_msc_file.toml index b0fc6db6048..1f7219d965d 100644 --- a/rules/windows/execution_initial_access_via_msc_file.toml +++ b/rules/windows/execution_initial_access_via_msc_file.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,27 +100,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -131,10 +134,25 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.014" +name = "MMC" +reference = "https://attack.mitre.org/techniques/T1218/014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_initial_access_wps_dll_exploit.toml b/rules/windows/execution_initial_access_wps_dll_exploit.toml index b6d8c918d59..cef5e3fb0f2 100644 --- a/rules/windows/execution_initial_access_wps_dll_exploit.toml +++ b/rules/windows/execution_initial_access_wps_dll_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -88,26 +88,49 @@ any where host.os.type == "windows" and process.name : "promecefpluginhost.exe" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1189" name = "Drive-by Compromise" reference = "https://attack.mitre.org/techniques/T1189/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 979a2d927a3..330a2bc739e 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,16 +99,34 @@ sequence with maxspan=2h [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -119,10 +137,7 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/windows/execution_nodejs_susp_patterns.toml b/rules/windows/execution_nodejs_susp_patterns.toml index 56fb9fb8bc8..4bdf3d086cd 100644 --- a/rules/windows/execution_nodejs_susp_patterns.toml +++ b/rules/windows/execution_nodejs_susp_patterns.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/21" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/21" +updated_date = "2026/03/24" [rule] @@ -109,11 +109,25 @@ id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_notepad_markdown_child_process.toml b/rules/windows/execution_notepad_markdown_child_process.toml index c7f3b8f24a8..13e0813ef61 100644 --- a/rules/windows/execution_notepad_markdown_child_process.toml +++ b/rules/windows/execution_notepad_markdown_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/16" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/03/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,11 +81,21 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index 8e6c5f0f7eb..1c53fa9db0e 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -310,22 +310,166 @@ case_insensitive = true value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.001" +name = "LSASS Memory" +reference = "https://attack.mitre.org/techniques/T1003/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.006" +name = "DCSync" +reference = "https://attack.mitre.org/techniques/T1003/006/" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.006" +name = "Group Policy Preferences" +reference = "https://attack.mitre.org/techniques/T1552/006/" + +[[rule.threat.technique]] +id = "T1558" +name = "Steal or Forge Kerberos Tickets" +reference = "https://attack.mitre.org/techniques/T1558/" + +[[rule.threat.technique.subtechnique]] +id = "T1558.003" +name = "Kerberoasting" +reference = "https://attack.mitre.org/techniques/T1558/003/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.002" +name = "Bypass User Account Control" +reference = "https://attack.mitre.org/techniques/T1548/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + +[[rule.threat.technique]] +id = "T1482" +name = "Domain Trust Discovery" +reference = "https://attack.mitre.org/techniques/T1482/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.001" +name = "Exfiltration to Code Repository" +reference = "https://attack.mitre.org/techniques/T1567/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.005" +name = "Scheduled Task" +reference = "https://attack.mitre.org/techniques/T1053/005/" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.005" +name = "Security Support Provider" +reference = "https://attack.mitre.org/techniques/T1547/005/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 2053274cec8..d52be5d20cc 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -118,34 +118,44 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.013" +name = "Encrypted/Encoded File" +reference = "https://attack.mitre.org/techniques/T1027/013/" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml index f5e2c08a17b..25a637bbd54 100644 --- a/rules/windows/execution_powershell_susp_args_via_winscript.toml +++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/09" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,10 +105,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -124,10 +126,30 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_revshell_cmd_via_netcat.toml b/rules/windows/execution_revshell_cmd_via_netcat.toml index 2ca0d6e9e10..3abeef4bedc 100644 --- a/rules/windows/execution_revshell_cmd_via_netcat.toml +++ b/rules/windows/execution_revshell_cmd_via_netcat.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/10/14" +updated_date = "2026/03/24" [rule] @@ -75,10 +75,12 @@ process.name : ("cmd.exe", "powershell.exe") and process.parent.args : "-e" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -89,9 +91,20 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 67a11ba82f0..83194087722 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/11/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,29 +82,46 @@ sequence by host.id, process.entity_id with maxspan = 5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/execution_scripting_remote_webdav.toml b/rules/windows/execution_scripting_remote_webdav.toml index bce62a907c5..bc04b569daa 100644 --- a/rules/windows/execution_scripting_remote_webdav.toml +++ b/rules/windows/execution_scripting_remote_webdav.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,41 +80,64 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - [[rule.threat.technique]] id = "T1570" name = "Lateral Tool Transfer" reference = "https://attack.mitre.org/techniques/T1570/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/execution_scripts_archive_file.toml b/rules/windows/execution_scripts_archive_file.toml index 8bc7d0e44cc..5243860e944 100644 --- a/rules/windows/execution_scripts_archive_file.toml +++ b/rules/windows/execution_scripts_archive_file.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/20" +updated_date = "2026/03/24" [rule] @@ -104,20 +104,27 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" -[[rule.threat.technique.subtechnique]] -id = "T1059.005" -name = "Visual Basic" -reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 26b1f2df891..3c92dda7f97 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/28" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -60,14 +60,31 @@ file where host.os.type == "windows" and file.extension : "dll" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1129" name = "Shared Modules" reference = "https://attack.mitre.org/techniques/T1129/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_susp_javascript_via_deno.toml b/rules/windows/execution_susp_javascript_via_deno.toml index ec8fe357c7a..97d11c50775 100644 --- a/rules/windows/execution_susp_javascript_via_deno.toml +++ b/rules/windows/execution_susp_javascript_via_deno.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/19" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -77,10 +77,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.007" name = "JavaScript" @@ -90,3 +92,29 @@ reference = "https://attack.mitre.org/techniques/T1059/007/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 9f27f9612ae..997ab764138 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/05/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,6 +94,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -103,15 +104,31 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index c816d82ecd2..8dbb330504c 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/30" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,31 +113,117 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1203" name = "Exploitation for Client Execution" reference = "https://attack.mitre.org/techniques/T1203/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique.subtechnique]] +id = "T1016.001" +name = "Internet Connection Discovery" +reference = "https://attack.mitre.org/techniques/T1016/001/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 6fcd26f682b..fc830cb9c34 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,36 +80,54 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.003" name = "Rename Legitimate Utilities" reference = "https://attack.mitre.org/techniques/T1036/003/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 15d381da770..527d9eae410 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -145,36 +145,56 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.001" name = "Compiled HTML File" reference = "https://attack.mitre.org/techniques/T1218/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml index 52678af5806..4d0567ab563 100644 --- a/rules/windows/execution_via_mmc_console_file_unusual_path.toml +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/19" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,10 +106,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -120,27 +122,35 @@ id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/execution_windows_cmd_shell_susp_args.toml b/rules/windows/execution_windows_cmd_shell_susp_args.toml index 9d8c461049c..7e8578f6b1a 100644 --- a/rules/windows/execution_windows_cmd_shell_susp_args.toml +++ b/rules/windows/execution_windows_cmd_shell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -161,19 +161,59 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml b/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml index f2fdff5ae2b..3b73fe7f124 100644 --- a/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml +++ b/rules/windows/execution_windows_fakecaptcha_cmd_ps.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/19" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/08/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,10 +84,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -98,47 +100,58 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.004" +name = "Malicious Copy and Paste" +reference = "https://attack.mitre.org/techniques/T1204/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1189" +name = "Drive-by Compromise" +reference = "https://attack.mitre.org/techniques/T1189/" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/windows/execution_windows_phish_clickfix.toml b/rules/windows/execution_windows_phish_clickfix.toml index 499cedf6295..ff9f43a3a9f 100644 --- a/rules/windows/execution_windows_phish_clickfix.toml +++ b/rules/windows/execution_windows_phish_clickfix.toml @@ -2,7 +2,7 @@ creation_date = "2025/08/20" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/08/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,10 +83,12 @@ not (process.name : "rundll32.exe" and process.args : ("ndfapi.dll,NdfRunDllDiag [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -97,45 +99,61 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" +[[rule.threat.technique.subtechnique]] +id = "T1204.004" +name = "Malicious Copy and Paste" +reference = "https://attack.mitre.org/techniques/T1204/004/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml index ff0cfea3021..12f07fbe1e5 100644 --- a/rules/windows/execution_windows_powershell_susp_args.toml +++ b/rules/windows/execution_windows_powershell_susp_args.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/06" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -186,19 +186,54 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + +[[rule.threat.technique]] +id = "T1140" +name = "Deobfuscate/Decode Files or Information" +reference = "https://attack.mitre.org/techniques/T1140/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml index b0f8b6c40d2..1df195731bd 100644 --- a/rules/windows/execution_windows_script_from_internet.toml +++ b/rules/windows/execution_windows_script_from_internet.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/31" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" min_stack_version = "9.1.0" min_stack_comments = "Changing min stack to 9.1.0, the latest minimum supported version for 9.X releases." @@ -93,6 +93,16 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" @@ -103,23 +113,29 @@ id = "T1059.007" name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] -id = "T1059.003" -name = "Windows Command Shell" -reference = "https://attack.mitre.org/techniques/T1059/003/" +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" @@ -130,10 +146,7 @@ id = "T1218.007" name = "Msiexec" reference = "https://attack.mitre.org/techniques/T1218/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/exfiltration_rclone_cloud_upload.toml b/rules/windows/exfiltration_rclone_cloud_upload.toml index 48377c25e27..b66cc9b1c73 100644 --- a/rules/windows/exfiltration_rclone_cloud_upload.toml +++ b/rules/windows/exfiltration_rclone_cloud_upload.toml @@ -2,7 +2,7 @@ creation_date = "2026/03/18" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2026/03/18" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,12 +84,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.003" +name = "Rename Legitimate Utilities" +reference = "https://attack.mitre.org/techniques/T1036/003/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/exfiltration_smb_rare_destination.toml b/rules/windows/exfiltration_smb_rare_destination.toml index 1e007cf4c87..5811c56fa8d 100644 --- a/rules/windows/exfiltration_smb_rare_destination.toml +++ b/rules/windows/exfiltration_smb_rare_destination.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,17 +117,29 @@ event.category:network and host.os.type:windows and process.pid:4 and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1048" name = "Exfiltration Over Alternative Protocol" reference = "https://attack.mitre.org/techniques/T1048/" - [rule.threat.tactic] id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1187" +name = "Forced Authentication" +reference = "https://attack.mitre.org/techniques/T1187/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["destination.ip"] diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml index e2d3edbbce1..8cbbdcf1d46 100644 --- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml +++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/03" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,30 +86,41 @@ from logs-endpoint.events.file-* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - - diff --git a/rules/windows/impact_mod_critical_os_files.toml b/rules/windows/impact_mod_critical_os_files.toml index 7aa911b6309..6453a27428d 100644 --- a/rules/windows/impact_mod_critical_os_files.toml +++ b/rules/windows/impact_mod_critical_os_files.toml @@ -2,7 +2,7 @@ creation_date = "2025/09/01" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,18 +93,28 @@ file where host.os.type == "windows" and event.type in ("change", "deletion") an [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/windows/impact_ransomware_file_rename_smb.toml b/rules/windows/impact_ransomware_file_rename_smb.toml index 7f585c29ae5..06640b4a521 100644 --- a/rules/windows/impact_ransomware_file_rename_smb.toml +++ b/rules/windows/impact_ransomware_file_rename_smb.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,36 +82,41 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/impact_ransomware_note_file_over_smb.toml b/rules/windows/impact_ransomware_note_file_over_smb.toml index 392a87fdba2..ed12fe35795 100644 --- a/rules/windows/impact_ransomware_note_file_over_smb.toml +++ b/rules/windows/impact_ransomware_note_file_over_smb.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,36 +82,41 @@ sequence by host.id with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1485" name = "Data Destruction" reference = "https://attack.mitre.org/techniques/T1485/" +[[rule.threat.technique]] +id = "T1486" +name = "Data Encrypted for Impact" +reference = "https://attack.mitre.org/techniques/T1486/" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index e6e6087c445..1c69ec5bafb 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/03" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/06/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,17 +80,34 @@ event.category:process and host.os.type:windows and event.type:start and process [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.threshold] field = ["host.id"] value = 10 diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 073eef3b42a..39ada5349f6 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/19" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -118,31 +118,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1490" name = "Inhibit System Recovery" reference = "https://attack.mitre.org/techniques/T1490/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index 83b0ab0edd9..7bf7d72b1ae 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,10 +111,12 @@ sequence by user.id with maxspan=2m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -125,27 +127,43 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique.subtechnique]] id = "T1027.006" name = "HTML Smuggling" reference = "https://attack.mitre.org/techniques/T1027/006/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_execution_from_inetcache.toml b/rules/windows/initial_access_execution_from_inetcache.toml index 1c10e770968..b123d9b673c 100644 --- a/rules/windows/initial_access_execution_from_inetcache.toml +++ b/rules/windows/initial_access_execution_from_inetcache.toml @@ -2,7 +2,7 @@ creation_date = "2024/02/14" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,31 +113,49 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_execution_remote_via_msiexec.toml b/rules/windows/initial_access_execution_remote_via_msiexec.toml index 313b2343f65..ed59a607257 100644 --- a/rules/windows/initial_access_execution_remote_via_msiexec.toml +++ b/rules/windows/initial_access_execution_remote_via_msiexec.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/28" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,36 +101,49 @@ MSIEXEC, the Windows Installer, facilitates software installation, modification, [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.007" name = "Msiexec" reference = "https://attack.mitre.org/techniques/T1218/007/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index ce76d88f67f..00b31a4d91b 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -125,36 +125,59 @@ process where [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" + [[rule.threat.technique.subtechnique]] id = "T1137.006" name = "Add-ins" reference = "https://attack.mitre.org/techniques/T1137/006/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index 61e732cb424..67466b25d61 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/24" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,22 +110,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -136,10 +139,88 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/windows/initial_access_potential_webhelpdesk_exploit.toml b/rules/windows/initial_access_potential_webhelpdesk_exploit.toml index 018003de5eb..ca1b8afcd21 100644 --- a/rules/windows/initial_access_potential_webhelpdesk_exploit.toml +++ b/rules/windows/initial_access_potential_webhelpdesk_exploit.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,14 +92,59 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_rdp_file_mail_attachment.toml b/rules/windows/initial_access_rdp_file_mail_attachment.toml index f7ff84102c4..9e6429272b6 100644 --- a/rules/windows/initial_access_rdp_file_mail_attachment.toml +++ b/rules/windows/initial_access_rdp_file_mail_attachment.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/05" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -100,19 +100,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 7ec8d133027..7ea7e0e73c9 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -105,27 +105,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -136,10 +139,12 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 6846a4ea7e0..b60c69c9869 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/27" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -106,23 +106,25 @@ sequence by host.id with maxspan = 5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -132,15 +134,18 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml b/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml index 402f26c77f3..153757b6755 100644 --- a/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml +++ b/rules/windows/initial_access_suspicious_execution_from_vscode_extension.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/13" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/13" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,10 +84,12 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" @@ -100,14 +102,32 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" @@ -117,3 +137,44 @@ reference = "https://attack.mitre.org/techniques/T1204/002/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.007" +name = "Msiexec" +reference = "https://attack.mitre.org/techniques/T1218/007/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 519fd905a68..1d9ac75eed3 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/04" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Austin Songer"] @@ -85,26 +85,44 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 28e435a3737..d6fed06ce9e 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/08" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,22 +94,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -120,10 +123,25 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 74d8fad8028..de4be6c2267 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -123,27 +123,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -154,22 +157,103 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.001" +name = "Compiled HTML File" +reference = "https://attack.mitre.org/techniques/T1218/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.002" +name = "Control Panel" +reference = "https://attack.mitre.org/techniques/T1218/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + +[[rule.threat.technique]] +id = "T1049" +name = "System Network Connections Discovery" +reference = "https://attack.mitre.org/techniques/T1049/" + +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index c0828b44e66..964b692c41b 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -110,27 +110,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -141,22 +144,60 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.003" +name = "CMSTP" +reference = "https://attack.mitre.org/techniques/T1218/003/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.008" +name = "Odbcconf" +reference = "https://attack.mitre.org/techniques/T1218/008/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/initial_access_suspicious_windows_server_update_svc.toml b/rules/windows/initial_access_suspicious_windows_server_update_svc.toml index c1bfe3cbe84..051751fafd3 100644 --- a/rules/windows/initial_access_suspicious_windows_server_update_svc.toml +++ b/rules/windows/initial_access_suspicious_windows_server_update_svc.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/24" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/10/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,22 +86,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -112,10 +115,43 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/initial_access_url_cve_2025_33053.toml b/rules/windows/initial_access_url_cve_2025_33053.toml index 17c356f8d2c..6f022a55f11 100644 --- a/rules/windows/initial_access_url_cve_2025_33053.toml +++ b/rules/windows/initial_access_url_cve_2025_33053.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/11" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/06/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,10 +84,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -103,18 +105,38 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" -[[rule.threat]] -framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 7a7e8c67522..123281bc710 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/29" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -96,10 +96,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -110,18 +112,19 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -137,22 +140,45 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/initial_access_webshell_screenconnect_server.toml b/rules/windows/initial_access_webshell_screenconnect_server.toml index fbe76f594f5..261f5786467 100644 --- a/rules/windows/initial_access_webshell_screenconnect_server.toml +++ b/rules/windows/initial_access_webshell_screenconnect_server.toml @@ -2,7 +2,7 @@ creation_date = "2024/03/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,22 +92,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -118,10 +121,25 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.003" +name = "Web Shell" +reference = "https://attack.mitre.org/techniques/T1505/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/initial_access_xsl_script_execution_via_com.toml b/rules/windows/initial_access_xsl_script_execution_via_com.toml index 2a1b8903abd..0e82b88b145 100644 --- a/rules/windows/initial_access_xsl_script_execution_via_com.toml +++ b/rules/windows/initial_access_xsl_script_execution_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,31 +82,64 @@ The Microsoft.XMLDOM COM interface allows applications to parse and transform XM [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1220" name = "XSL Script Processing" reference = "https://attack.mitre.org/techniques/T1220/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 3e17c1558a3..7f787510c06 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -80,48 +80,54 @@ sequence by process.entity_id with maxspan = 1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml b/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml index ecce43b56cd..4453dc6b459 100644 --- a/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml +++ b/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/28" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/12/12" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,33 +99,39 @@ sequence by source.port, source.ip with maxspan=3s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.003" name = "Pass the Ticket" reference = "https://attack.mitre.org/techniques/T1550/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" + [[rule.threat.technique.subtechnique]] id = "T1558.003" name = "Kerberoasting" reference = "https://attack.mitre.org/techniques/T1558/003/" - +[[rule.threat.technique.subtechnique]] +id = "T1558.004" +name = "AS-REP Roasting" +reference = "https://attack.mitre.org/techniques/T1558/004/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 4f7be9dafd2..e232e9ab815 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,36 +85,54 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.003" name = "Distributed Component Object Model" reference = "https://attack.mitre.org/techniques/T1021/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.005" name = "Mshta" reference = "https://attack.mitre.org/techniques/T1218/005/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index edec6ac25c0..931dc6bc10e 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,36 +84,54 @@ sequence by host.id with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.003" name = "Distributed Component Object Model" reference = "https://attack.mitre.org/techniques/T1021/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index 99d6bbb8067..023860a5a08 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/06" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -85,19 +85,36 @@ sequence by host.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.003" name = "Distributed Component Object Model" reference = "https://attack.mitre.org/techniques/T1021/003/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" + +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index b0a6ce543ed..b3aa744287d 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/12" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -104,19 +104,31 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1113" +name = "Screen Capture" +reference = "https://attack.mitre.org/techniques/T1113/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index a6329dc5a9d..002889aff11 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,19 +91,23 @@ process where host.os.type == "windows" and event.type == "start" and process.ex [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 9f04832e1d8..3b8a8380436 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -145,19 +145,23 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 8dbb6d82a42..a2831b84880 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/05/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -99,26 +99,31 @@ sequence by host.id with maxspan = 20s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 2ba965eb464..a32563cd490 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,19 +90,41 @@ Remote Desktop Protocol (RDP) enables users to connect to and control remote sys [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 197d4339c52..75ea925dba0 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/04" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,19 +90,41 @@ process where host.os.type == "windows" and event.type == "start" and user.id != [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.002" name = "SMB/Windows Admin Shares" reference = "https://attack.mitre.org/techniques/T1021/002/" - +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" + +[[rule.threat.technique.subtechnique]] +id = "T1074.002" +name = "Remote Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/002/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml index 374035f3dfd..aaa83582136 100644 --- a/rules/windows/lateral_movement_remote_service_installed_winlog.toml +++ b/rules/windows/lateral_movement_remote_service_installed_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/30" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -101,31 +101,49 @@ sequence by winlog.logon.id, winlog.computer_name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 6409bf739d8..7492f498ecf 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -161,14 +161,31 @@ sequence with maxspan=1s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" + +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/lateral_movement_unusual_dns_service_children.toml b/rules/windows/lateral_movement_unusual_dns_service_children.toml index f9f1e18e1ff..4ee2d91cf16 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_children.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_children.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -111,14 +111,26 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml index d7b316d6ed2..df4740c7d58 100644 --- a/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml +++ b/rules/windows/lateral_movement_unusual_dns_service_file_writes.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/10/06" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -77,18 +77,29 @@ event.category : "file" and host.os.type : "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["file.path", "host.id"] diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index a74ff41d148..f02efb407a4 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/19" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,36 +91,46 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.001" name = "Remote Desktop Protocol" reference = "https://attack.mitre.org/techniques/T1021/001/" +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" +[[rule.threat.technique]] +id = "T1570" +name = "Lateral Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1570/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index 22ecd3dc5c9..dddccbfc9bb 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/19" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,14 +92,18 @@ process.executable : ( [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1072" +name = "Software Deployment Tools" +reference = "https://attack.mitre.org/techniques/T1072/" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" - diff --git a/rules/windows/persistence_browser_extension_install.toml b/rules/windows/persistence_browser_extension_install.toml index 2141ad620c4..5b2e32e9786 100644 --- a/rules/windows/persistence_browser_extension_install.toml +++ b/rules/windows/persistence_browser_extension_install.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/22" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -115,14 +115,18 @@ file where host.os.type == "windows" and event.type : "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1176" name = "Software Extensions" reference = "https://attack.mitre.org/techniques/T1176/" +[[rule.threat.technique.subtechnique]] +id = "T1176.001" +name = "Browser Extensions" +reference = "https://attack.mitre.org/techniques/T1176/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index d53df13516f..e51958ef4fc 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,19 +86,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.002" +name = "Hidden Users" +reference = "https://attack.mitre.org/techniques/T1564/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index a29e42c832e..a509c414c5c 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,14 +89,18 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1137" name = "Office Application Startup" reference = "https://attack.mitre.org/techniques/T1137/" +[[rule.threat.technique.subtechnique]] +id = "T1137.001" +name = "Office Template Macros" +reference = "https://attack.mitre.org/techniques/T1137/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_msi_installer_task_startup.toml b/rules/windows/persistence_msi_installer_task_startup.toml index 240595008a9..efbc92edb68 100644 --- a/rules/windows/persistence_msi_installer_task_startup.toml +++ b/rules/windows/persistence_msi_installer_task_startup.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -126,27 +126,40 @@ Windows Installer, through msiexec.exe, facilitates software installation and co [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.001" +name = "Registry Run Keys / Startup Folder" +reference = "https://attack.mitre.org/techniques/T1547/001/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.007" name = "Msiexec" diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index 70d8729bfdc..289233277a1 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/15" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -94,36 +94,54 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.002" name = "Additional Email Delegate Permissions" reference = "https://attack.mitre.org/techniques/T1098/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1114" +name = "Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/" + +[[rule.threat.technique.subtechnique]] +id = "T1114.002" +name = "Remote Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/002/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 477f8078256..010e61a60c7 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,41 +153,66 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique]] +id = "T1176" +name = "Software Extensions" +reference = "https://attack.mitre.org/techniques/T1176/" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" + [[rule.threat.technique.subtechnique]] id = "T1546.002" name = "Screensaver" reference = "https://attack.mitre.org/techniques/T1546/002/" +[[rule.threat.technique.subtechnique]] +id = "T1546.012" +name = "Image File Execution Options Injection" +reference = "https://attack.mitre.org/techniques/T1546/012/" [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" +[[rule.threat.technique.subtechnique]] +id = "T1547.004" +name = "Winlogon Helper DLL" +reference = "https://attack.mitre.org/techniques/T1547/004/" +[[rule.threat.technique.subtechnique]] +id = "T1547.014" +name = "Active Setup" +reference = "https://attack.mitre.org/techniques/T1547/014/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 6cdfda1c03e..14c08b77d7f 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/18" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -170,19 +170,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 5152e42debf..426b00a56db 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,19 +89,84 @@ sequence by host.id, user.name with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1127" +name = "Trusted Developer Utilities Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1127/" + +[[rule.threat.technique.subtechnique]] +id = "T1127.001" +name = "MSBuild" +reference = "https://attack.mitre.org/techniques/T1127/001/" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.004" +name = "InstallUtil" +reference = "https://attack.mitre.org/techniques/T1218/004/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.009" +name = "Regsvcs/Regasm" +reference = "https://attack.mitre.org/techniques/T1218/009/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.010" +name = "Regsvr32" +reference = "https://attack.mitre.org/techniques/T1218/010/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index d5fd087cd9d..0cdd460da69 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -2,7 +2,7 @@ creation_date = "2022/02/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,24 +102,36 @@ any where host.os.type == "windows" and event.code == "5136" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1484" +name = "Domain or Tenant Policy Modification" +reference = "https://attack.mitre.org/techniques/T1484/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index cbd24408d74..c5f743170f9 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -167,53 +167,64 @@ Svchost.exe is a critical Windows process that hosts multiple services, allowing [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index e142ec77150..4907ef082e4 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/10/07" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -117,31 +117,41 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index fcea266ea46..288d3035d09 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -147,36 +147,36 @@ any where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1053" -name = "Scheduled Task/Job" -reference = "https://attack.mitre.org/techniques/T1053/" -[[rule.threat.technique.subtechnique]] -id = "T1053.005" -name = "Scheduled Task" -reference = "https://attack.mitre.org/techniques/T1053/005/" +[[rule.threat.technique]] +id = "T1559" +name = "Inter-Process Communication" +reference = "https://attack.mitre.org/techniques/T1559/" +[[rule.threat.technique.subtechnique]] +id = "T1559.001" +name = "Component Object Model" +reference = "https://attack.mitre.org/techniques/T1559/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml b/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml index e3c5bf98f82..5706fc3e315 100644 --- a/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml +++ b/rules/windows/persistence_suspicious_user_mandatory_profile_file.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/07" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/07" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -86,27 +86,31 @@ file where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.001" +name = "Registry Run Keys / Startup Folder" +reference = "https://attack.mitre.org/techniques/T1547/001/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" -[[rule.threat]] +[[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 2a0d907bce6..a3b0b221fdb 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -120,27 +120,30 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -151,10 +154,17 @@ id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 708d2187cb4..9143335a022 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/04/24" +updated_date = "2026/03/24" [rule] author = ["Elastic", "Skoetting"] @@ -102,14 +102,18 @@ iam where host.os.type == "windows" and event.action == "added-member-to-group" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.007" +name = "Additional Local or Domain Groups" +reference = "https://attack.mitre.org/techniques/T1098/007/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 2bab46a9d12..5fff35a5c75 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,19 +87,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1136" name = "Create Account" reference = "https://attack.mitre.org/techniques/T1136/" + [[rule.threat.technique.subtechnique]] id = "T1136.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1136.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1136/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 1d217e04fb3..249be5b3caf 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/15" integration = ["endpoint", "windows", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -97,43 +97,49 @@ registry where host.os.type == "windows" and event.type == "change" and length(r [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 4c77031fe53..5460a9a109a 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -147,36 +147,41 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" -[[rule.threat.technique]] -id = "T1574" -name = "Hijack Execution Flow" -reference = "https://attack.mitre.org/techniques/T1574/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index df5ba00f618..ab9056795e5 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -170,41 +170,61 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.001" +name = "Logon Script (Windows)" +reference = "https://attack.mitre.org/techniques/T1037/001/" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" + [[rule.threat.technique.subtechnique]] id = "T1547.001" name = "Registry Run Keys / Startup Folder" reference = "https://attack.mitre.org/techniques/T1547/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1547.004" +name = "Winlogon Helper DLL" +reference = "https://attack.mitre.org/techniques/T1547/004/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 9999667d1d4..133006547ec 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -2,7 +2,7 @@ creation_date = "2021/08/24" integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2026/01/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -153,35 +153,38 @@ value = "*?:\\\\Program Files (x86)\\\\*" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.003" name = "Web Shell" reference = "https://attack.mitre.org/techniques/T1505/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -191,6 +194,7 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -206,14 +210,15 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" - +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.command_line"] diff --git a/rules/windows/persistence_werfault_reflectdebugger.toml b/rules/windows/persistence_werfault_reflectdebugger.toml index 10b36a1c675..fe4ec754836 100644 --- a/rules/windows/persistence_werfault_reflectdebugger.toml +++ b/rules/windows/persistence_werfault_reflectdebugger.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,26 +89,31 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" +[[rule.threat.technique.subtechnique]] +id = "T1546.012" +name = "Image File Execution Options Injection" +reference = "https://attack.mitre.org/techniques/T1546/012/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index 50b903484bb..27303266a55 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -2,7 +2,7 @@ creation_date = "2022/11/09" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,14 +98,18 @@ event.code:"5136" and host.os.type:"windows" and winlog.event_data.AttributeLDAP [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 8d113e3b967..dc3a6bd371b 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/20" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/08/26" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -113,51 +113,41 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml b/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml index b68b5bdb6c1..b86726f75eb 100644 --- a/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml +++ b/rules/windows/privilege_escalation_dmsa_creation_by_unusual_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/23" integration = ["system", "windows"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -61,27 +61,44 @@ event.code:5137 and host.os.type:"windows" and winlog.event_data.ObjectClass:"ms [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[[rule.threat.technique.subtechnique]] +id = "T1136.002" +name = "Domain Account" +reference = "https://attack.mitre.org/techniques/T1136/002/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["winlog.event_data.SubjectUserName"] diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml index 45a02549dbd..7f8f269e82d 100644 --- a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,14 +82,39 @@ any where host.os.type == "windows" and event.category : ("library", "process") [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1129" +name = "Shared Modules" +reference = "https://attack.mitre.org/techniques/T1129/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/privilege_escalation_driver_newterm_imphash.toml b/rules/windows/privilege_escalation_driver_newterm_imphash.toml index cec1e42a855..1c167c67958 100644 --- a/rules/windows/privilege_escalation_driver_newterm_imphash.toml +++ b/rules/windows/privilege_escalation_driver_newterm_imphash.toml @@ -2,7 +2,7 @@ creation_date = "2022/12/19" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -118,34 +118,44 @@ event.category:"driver" and host.os.type:windows and event.action:"load" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [rule.new_terms] field = "new_terms_fields" value = ["dll.pe.original_file_name", "dll.code_signature.subject_name"] diff --git a/rules/windows/privilege_escalation_expired_driver_loaded.toml b/rules/windows/privilege_escalation_expired_driver_loaded.toml index d96ccf10bfe..cf2760676b2 100644 --- a/rules/windows/privilege_escalation_expired_driver_loaded.toml +++ b/rules/windows/privilege_escalation_expired_driver_loaded.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -75,31 +75,41 @@ In Windows environments, drivers facilitate communication between the OS and har [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.002" +name = "Code Signing" +reference = "https://attack.mitre.org/techniques/T1553/002/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_exploit_cve_202238028.toml b/rules/windows/privilege_escalation_exploit_cve_202238028.toml index 7ce5473206a..4d153d83157 100644 --- a/rules/windows/privilege_escalation_exploit_cve_202238028.toml +++ b/rules/windows/privilege_escalation_exploit_cve_202238028.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/23" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -102,26 +102,36 @@ file where host.os.type == "windows" and event.type != "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.010" +name = "Services File Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/010/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml index 83c8fad1aea..447985003d7 100644 --- a/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml +++ b/rules/windows/privilege_escalation_gpo_schtask_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -90,36 +90,46 @@ file where host.os.type == "windows" and event.type != "deletion" and event.acti [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.001" name = "Group Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/001/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.005" name = "Scheduled Task" reference = "https://attack.mitre.org/techniques/T1053/005/" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 1c705e82d44..bb2e22b742f 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/08" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -121,24 +121,36 @@ any where host.os.type == "windows" and event.code in ("5136", "5145") and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1484" name = "Domain or Tenant Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/" + [[rule.threat.technique.subtechnique]] id = "T1484.001" name = "Group Policy Modification" reference = "https://attack.mitre.org/techniques/T1484/001/" - [[rule.threat.technique]] id = "T1547" name = "Boot or Logon Autostart Execution" reference = "https://attack.mitre.org/techniques/T1547/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index 52bf1177ba3..70c6969235e 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -2,7 +2,7 @@ creation_date = "2021/11/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -143,14 +143,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index 337b065f9c5..d0e2f4e4fde 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/27" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -89,31 +89,36 @@ sequence by winlog.computer_name with maxspan=5m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + [[rule.threat.technique]] id = "T1558" name = "Steal or Forge Kerberos Tickets" reference = "https://attack.mitre.org/techniques/T1558/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 17355c1cbf2..2cfed3e6651 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/23" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -135,14 +135,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index 0d2a820a60c..0662fe27d5b 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -2,7 +2,7 @@ creation_date = "2022/08/17" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -162,44 +162,49 @@ event.category:process and host.os.type:windows and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" + [[rule.threat.technique.subtechnique]] id = "T1134.001" name = "Token Impersonation/Theft" reference = "https://attack.mitre.org/techniques/T1134/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1134.002" +name = "Create Process with Token" +reference = "https://attack.mitre.org/techniques/T1134/002/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - [[rule.threat.technique]] id = "T1106" name = "Native API" reference = "https://attack.mitre.org/techniques/T1106/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 020105af031..e1aae601bad 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/08/28" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -95,14 +95,31 @@ sequence by host.id with maxspan=30s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index b425a85e9c6..5209db6b7d0 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -138,17 +138,26 @@ value = "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-???????? [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL" +reference = "https://attack.mitre.org/techniques/T1574/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [rule.new_terms] field = "new_terms_fields" value = ["host.id", "file.name"] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 75067c258a1..1f6466d2994 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/06" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,14 +91,31 @@ file where host.os.type == "windows" and event.type == "deletion" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal" +reference = "https://attack.mitre.org/techniques/T1070/" + +[[rule.threat.technique.subtechnique]] +id = "T1070.004" +name = "File Deletion" +reference = "https://attack.mitre.org/techniques/T1070/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml index c415ada0e36..7b6d04f8e88 100644 --- a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml +++ b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/05" integration = ["endpoint", "windows", "crowdstrike", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" -updated_date = "2025/10/07" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -135,46 +135,59 @@ registry where host.os.type == "windows" and event.type == "change" and process. [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.011" name = "Services Registry Permissions Weakness" reference = "https://attack.mitre.org/techniques/T1574/011/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index e411a855b25..265e4436435 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/26" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/09/11" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -92,19 +92,31 @@ registry.path : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [[rule.threat.technique.subtechnique]] id = "T1574.007" name = "Path Interception by PATH Environment Variable" reference = "https://attack.mitre.org/techniques/T1574/007/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 2f73a8e24e7..8fc20711803 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -2,7 +2,7 @@ creation_date = "2021/12/12" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -84,6 +84,7 @@ iam where host.os.type == "windows" and event.action == "renamed-user-account" a [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -93,27 +94,39 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index c2d36fb1b78..cc533de6f4b 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -120,23 +120,25 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.003" name = "Windows Service" reference = "https://attack.mitre.org/techniques/T1543/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" @@ -146,6 +148,7 @@ reference = "https://attack.mitre.org/techniques/T1047/" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" @@ -161,18 +164,34 @@ id = "T1059.005" name = "Visual Basic" reference = "https://attack.mitre.org/techniques/T1059/005/" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.005" +name = "Mshta" +reference = "https://attack.mitre.org/techniques/T1218/005/" + [[rule.threat.technique.subtechnique]] id = "T1218.010" name = "Regsvr32" @@ -183,10 +202,7 @@ id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index db144eec549..fbb26f3b07c 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/11" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/11/14" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -87,6 +87,7 @@ iam where host.os.type == "windows" and event.action == "changed-computer-accoun [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -96,15 +97,18 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.002" name = "Domain Accounts" reference = "https://attack.mitre.org/techniques/T1078/002/" - +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 97b2898d655..280063046d8 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -91,53 +91,49 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1559" name = "Inter-Process Communication" reference = "https://attack.mitre.org/techniques/T1559/" + [[rule.threat.technique.subtechnique]] id = "T1559.001" name = "Component Object Model" reference = "https://attack.mitre.org/techniques/T1559/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 8752086e4ee..e8e462a1c8b 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -134,46 +134,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index fa2fd7c192b..9afd4609252 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -132,46 +132,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.002" name = "Bypass User Account Control" reference = "https://attack.mitre.org/techniques/T1548/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.014" name = "MMC" reference = "https://attack.mitre.org/techniques/T1218/014/" - -[[rule.threat.technique]] -id = "T1548" -name = "Abuse Elevation Control Mechanism" -reference = "https://attack.mitre.org/techniques/T1548/" -[[rule.threat.technique.subtechnique]] -id = "T1548.002" -name = "Bypass User Account Control" -reference = "https://attack.mitre.org/techniques/T1548/002/" - - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 4a8e99f0049..dedb007cc3a 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/06/05" +updated_date = "2026/03/24" [transform] [[transform.osquery]] @@ -162,19 +162,46 @@ process.parent.name != null and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" + [[rule.threat.technique.subtechnique]] id = "T1055.012" name = "Process Hollowing" reference = "https://attack.mitre.org/techniques/T1055/012/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[[rule.threat.technique.subtechnique]] +id = "T1036.009" +name = "Break Process Trees" +reference = "https://attack.mitre.org/techniques/T1036/009/" + +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" + +[[rule.threat.technique.subtechnique]] +id = "T1134.004" +name = "Parent PID Spoofing" +reference = "https://attack.mitre.org/techniques/T1134/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index cb89a43db4b..35c9d4192d8 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/13" integration = ["windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,14 +93,18 @@ file where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1134" name = "Access Token Manipulation" reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - diff --git a/rules_building_block/collection_archive_data_zip_imageload.toml b/rules_building_block/collection_archive_data_zip_imageload.toml index 445af055e36..fe0eec74932 100644 --- a/rules_building_block/collection_archive_data_zip_imageload.toml +++ b/rules_building_block/collection_archive_data_zip_imageload.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -56,14 +56,18 @@ library where host.os.type == "windows" and event.action == "load" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" +[[rule.threat.technique.subtechnique]] +id = "T1560.002" +name = "Archive via Library" +reference = "https://attack.mitre.org/techniques/T1560/002/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules_building_block/collection_common_compressed_archived_file.toml b/rules_building_block/collection_common_compressed_archived_file.toml index 5742ea8c024..8b77228182d 100644 --- a/rules_building_block/collection_common_compressed_archived_file.toml +++ b/rules_building_block/collection_common_compressed_archived_file.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = "endpoint" maturity = "production" -updated_date = "2025/01/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,58 +76,64 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" + [[rule.threat.technique.subtechnique]] id = "T1074.001" name = "Local Data Staging" reference = "https://attack.mitre.org/techniques/T1074/001/" - [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" + [[rule.threat.technique.subtechnique]] id = "T1560.001" name = "Archive via Utility" reference = "https://attack.mitre.org/techniques/T1560/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1132" name = "Data Encoding" reference = "https://attack.mitre.org/techniques/T1132/" + [[rule.threat.technique.subtechnique]] id = "T1132.001" name = "Standard Encoding" reference = "https://attack.mitre.org/techniques/T1132/001/" - - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.015" +name = "Compression" +reference = "https://attack.mitre.org/techniques/T1027/015/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml index 5fd3ef741f5..e78b29e10e9 100644 --- a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml +++ b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -43,19 +43,36 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1074" name = "Data Staged" reference = "https://attack.mitre.org/techniques/T1074/" + [[rule.threat.technique.subtechnique]] id = "T1074.001" name = "Local Data Staging" reference = "https://attack.mitre.org/techniques/T1074/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + +[[rule.threat.technique.subtechnique]] +id = "T1564.001" +name = "Hidden Files and Directories" +reference = "https://attack.mitre.org/techniques/T1564/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/collection_microsoft_purview_dlp_signal.toml b/rules_building_block/collection_microsoft_purview_dlp_signal.toml index bfc6b8ca0b3..03a5db7e642 100644 --- a/rules_building_block/collection_microsoft_purview_dlp_signal.toml +++ b/rules_building_block/collection_microsoft_purview_dlp_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -56,13 +56,39 @@ event.dataset:o365.audit and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[[rule.threat.technique]] +id = "T1114" +name = "Email Collection" +reference = "https://attack.mitre.org/techniques/T1114/" + +[[rule.threat.technique]] +id = "T1530" +name = "Data from Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1530/" + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1567" +name = "Exfiltration Over Web Service" +reference = "https://attack.mitre.org/techniques/T1567/" + +[[rule.threat.technique.subtechnique]] +id = "T1567.002" +name = "Exfiltration to Cloud Storage" +reference = "https://attack.mitre.org/techniques/T1567/002/" + [rule.threat.tactic] id = "TA0010" name = "Exfiltration" diff --git a/rules_building_block/collection_outlook_email_archive.toml b/rules_building_block/collection_outlook_email_archive.toml index 529eff840b9..ad3153f2733 100644 --- a/rules_building_block/collection_outlook_email_archive.toml +++ b/rules_building_block/collection_outlook_email_archive.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -52,19 +52,23 @@ process where host.os.type == "windows" and event.type == "start" and process.ar [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" + [[rule.threat.technique.subtechnique]] id = "T1114.001" name = "Local Email Collection" reference = "https://attack.mitre.org/techniques/T1114/001/" - - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - diff --git a/rules_building_block/collection_posh_compression.toml b/rules_building_block/collection_posh_compression.toml index 621b225c547..281482a083f 100644 --- a/rules_building_block/collection_posh_compression.toml +++ b/rules_building_block/collection_posh_compression.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -207,34 +207,44 @@ value = "?:\\\\Program Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1560" name = "Archive Collected Data" reference = "https://attack.mitre.org/techniques/T1560/" +[[rule.threat.technique.subtechnique]] +id = "T1560.001" +name = "Archive via Utility" +reference = "https://attack.mitre.org/techniques/T1560/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1560.002" +name = "Archive via Library" +reference = "https://attack.mitre.org/techniques/T1560/002/" [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/command_and_control_certutil_network_connection.toml b/rules_building_block/command_and_control_certutil_network_connection.toml index 4ed4c5547f0..c4ccf43c4ee 100644 --- a/rules_building_block/command_and_control_certutil_network_connection.toml +++ b/rules_building_block/command_and_control_certutil_network_connection.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/03/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [transform] [[transform.investigate]] @@ -163,14 +163,26 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml b/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml index 5701fe075a7..cb59a5d1761 100644 --- a/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml +++ b/rules_building_block/command_and_control_ollama_model_download_untrusted_source.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/09" integration = ["endpoint"] maturity = "production" -updated_date = "2026/01/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -56,31 +56,36 @@ network where event.action == "lookup_requested" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1105" name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" + +[[rule.threat.technique.subtechnique]] +id = "T1195.001" +name = "Compromise Software Dependencies and Development Tools" +reference = "https://attack.mitre.org/techniques/T1195/001/" + [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules_building_block/credential_access_entra_id_risk_detection_signal.toml b/rules_building_block/credential_access_entra_id_risk_detection_signal.toml index 74f8692331c..f73fe1603bd 100644 --- a/rules_building_block/credential_access_entra_id_risk_detection_signal.toml +++ b/rules_building_block/credential_access_entra_id_risk_detection_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -54,29 +54,35 @@ event.dataset:o365.audit and event.code:AadRiskDetection [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" diff --git a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml index 6eb634e33de..6850fbdf214 100644 --- a/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/08/18" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -49,14 +49,23 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1003" name = "OS Credential Dumping" reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules_building_block/credential_access_win_private_key_access.toml b/rules_building_block/credential_access_win_private_key_access.toml index c4ef158a6dc..74149cb7985 100644 --- a/rules_building_block/credential_access_win_private_key_access.toml +++ b/rules_building_block/credential_access_win_private_key_access.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -74,19 +74,31 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1552" name = "Unsecured Credentials" reference = "https://attack.mitre.org/techniques/T1552/" + [[rule.threat.technique.subtechnique]] id = "T1552.004" name = "Private Keys" reference = "https://attack.mitre.org/techniques/T1552/004/" - - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml index b46bd062dc8..47797a8332d 100644 --- a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -48,31 +48,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1027" +name = "Obfuscated Files or Information" +reference = "https://attack.mitre.org/techniques/T1027/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/defense_evasion_dll_hijack.toml b/rules_building_block/defense_evasion_dll_hijack.toml index 87e086c3d31..630b6740fe8 100644 --- a/rules_building_block/defense_evasion_dll_hijack.toml +++ b/rules_building_block/defense_evasion_dll_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,24 +83,18 @@ library where host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.001" -name = "DLL" -reference = "https://attack.mitre.org/techniques/T1574/001/" [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml index 79332fc5371..363c2625cf8 100644 --- a/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml +++ b/rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -40,24 +40,28 @@ sequence by user.id with maxspan=5s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" +[[rule.threat.technique.subtechnique]] +id = "T1127.002" +name = "ClickOnce" +reference = "https://attack.mitre.org/techniques/T1127/002/" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" + [[rule.threat.technique.subtechnique]] id = "T1218.011" name = "Rundll32" reference = "https://attack.mitre.org/techniques/T1218/011/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_download_susp_extension.toml b/rules_building_block/defense_evasion_download_susp_extension.toml index 0e65e8b4c34..2b11ed47d61 100644 --- a/rules_building_block/defense_evasion_download_susp_extension.toml +++ b/rules_building_block/defense_evasion_download_susp_extension.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/27" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -61,22 +61,25 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" @@ -87,10 +90,25 @@ id = "T1566.002" name = "Spearphishing Link" reference = "https://attack.mitre.org/techniques/T1566/002/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml index 2eecbdb9c35..263944fd022 100644 --- a/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml +++ b/rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,26 +78,36 @@ sequence with maxspan=1m [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" + [[rule.threat.technique.subtechnique]] id = "T1127.001" name = "MSBuild" reference = "https://attack.mitre.org/techniques/T1127/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/defense_evasion_generic_deletion.toml b/rules_building_block/defense_evasion_generic_deletion.toml index ba036559b71..4092da460aa 100644 --- a/rules_building_block/defense_evasion_generic_deletion.toml +++ b/rules_building_block/defense_evasion_generic_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -54,19 +54,33 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1070" name = "Indicator Removal" reference = "https://attack.mitre.org/techniques/T1070/" + [[rule.threat.technique.subtechnique]] id = "T1070.004" name = "File Deletion" reference = "https://attack.mitre.org/techniques/T1070/004/" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[[rule.threat.technique.subtechnique]] +id = "T1218.011" +name = "Rundll32" +reference = "https://attack.mitre.org/techniques/T1218/011/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_masquerading_windows_dll.toml b/rules_building_block/defense_evasion_masquerading_windows_dll.toml index afce0c6f8cd..7a42e416ca9 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_dll.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_dll.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/09/01" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -108,10 +108,12 @@ library where event.action == "load" and dll.Ext.relative_file_creation_time <= [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -122,37 +124,40 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" + +[[rule.threat.technique.subtechnique]] +id = "T1553.002" +name = "Code Signing" +reference = "https://attack.mitre.org/techniques/T1553/002/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" -[[rule.threat.technique.subtechnique]] -id = "T1574.001" -name = "DLL" -reference = "https://attack.mitre.org/techniques/T1574/001/" [[rule.threat.technique.subtechnique]] id = "T1574.001" name = "DLL" reference = "https://attack.mitre.org/techniques/T1574/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml index 884c457808b..4387a5d03f7 100644 --- a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml +++ b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/20" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -82,10 +82,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -96,22 +98,30 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.002" +name = "Code Signing" +reference = "https://attack.mitre.org/techniques/T1553/002/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml b/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml index eb6a59b0199..d685e67b893 100644 --- a/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml +++ b/rules_building_block/defense_evasion_microsoft_security_compliance_admin_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -54,30 +54,49 @@ event.dataset:o365.audit and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" + [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml index 6c94369c5a7..53fcb399412 100644 --- a/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml +++ b/rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/26" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -59,14 +59,31 @@ process where host.os.type == "windows" and event.action == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1218" name = "System Binary Proxy Execution" reference = "https://attack.mitre.org/techniques/T1218/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_outlook_suspicious_child.toml b/rules_building_block/defense_evasion_outlook_suspicious_child.toml index a081138d5d5..04c850ef329 100644 --- a/rules_building_block/defense_evasion_outlook_suspicious_child.toml +++ b/rules_building_block/defense_evasion_outlook_suspicious_child.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/01/10" integration = ["endpoint"] maturity = "production" -updated_date = "2025/05/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -72,10 +72,12 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" @@ -86,27 +88,38 @@ id = "T1036.005" name = "Match Legitimate Resource Name or Location" reference = "https://attack.mitre.org/techniques/T1036/005/" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1554" name = "Compromise Host Software Binary" reference = "https://attack.mitre.org/techniques/T1554/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml index 88639b9b669..f3bea5cad31 100644 --- a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml +++ b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/04/16" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -174,39 +174,44 @@ from logs-windows.powershell_operational* metadata _id, _version, _index [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1027" name = "Obfuscated Files or Information" reference = "https://attack.mitre.org/techniques/T1027/" +[[rule.threat.technique.subtechnique]] +id = "T1027.010" +name = "Command Obfuscation" +reference = "https://attack.mitre.org/techniques/T1027/010/" + [[rule.threat.technique]] id = "T1140" name = "Deobfuscate/Decode Files or Information" reference = "https://attack.mitre.org/techniques/T1140/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/defense_evasion_service_disabled_registry.toml b/rules_building_block/defense_evasion_service_disabled_registry.toml index c1f1d49dab7..504eedb76b9 100644 --- a/rules_building_block/defense_evasion_service_disabled_registry.toml +++ b/rules_building_block/defense_evasion_service_disabled_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -48,26 +48,36 @@ registry where host.os.type == "windows" and event.type == "change" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1112" name = "Modify Registry" reference = "https://attack.mitre.org/techniques/T1112/" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1489" name = "Service Stop" reference = "https://attack.mitre.org/techniques/T1489/" - [rule.threat.tactic] id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml index 90930db47e5..2a00fb024b7 100644 --- a/rules_building_block/defense_evasion_unusual_process_path_wbem.toml +++ b/rules_building_block/defense_evasion_unusual_process_path_wbem.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -55,14 +55,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules_building_block/defense_evasion_write_dac_access.toml b/rules_building_block/defense_evasion_write_dac_access.toml index ca738169f21..26796bd548b 100644 --- a/rules_building_block/defense_evasion_write_dac_access.toml +++ b/rules_building_block/defense_evasion_write_dac_access.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -63,19 +63,31 @@ host.os.type: "windows" and event.action : ("Directory Service Access" or "objec [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1222" name = "File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/" + [[rule.threat.technique.subtechnique]] id = "T1222.001" name = "Windows File and Directory Permissions Modification" reference = "https://attack.mitre.org/techniques/T1222/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules_building_block/discovery_generic_account_groups.toml b/rules_building_block/discovery_generic_account_groups.toml index eb8dadcd502..7c0ba29b8f0 100644 --- a/rules_building_block/discovery_generic_account_groups.toml +++ b/rules_building_block/discovery_generic_account_groups.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -64,10 +64,17 @@ and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18" [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [[rule.threat.technique.subtechnique]] id = "T1069.001" name = "Local Groups" @@ -78,11 +85,11 @@ id = "T1069.002" name = "Domain Groups" reference = "https://attack.mitre.org/techniques/T1069/002/" - [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -93,15 +100,12 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [[rule.threat.technique]] id = "T1201" name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_hosts_file_access.toml b/rules_building_block/discovery_hosts_file_access.toml index d371aaa1a97..a63b5a271f0 100644 --- a/rules_building_block/discovery_hosts_file_access.toml +++ b/rules_building_block/discovery_hosts_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/11" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/12/23" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -42,6 +42,11 @@ not ?process.working_directory in ("/opt/SolarWinds/Agent/bin/Plugins/SCM", "/op [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" diff --git a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml index 981adb13784..fbf32904d63 100644 --- a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/12" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -70,11 +70,15 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1518" +name = "Software Discovery" +reference = "https://attack.mitre.org/techniques/T1518/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml b/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml index 3df1dd8bd91..341d4d6b255 100644 --- a/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml +++ b/rules_building_block/discovery_kubectl_workload_and_cluster_discovery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "cloud_defend"] maturity = "production" min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0" min_stack_version = "9.3.0" -updated_date = "2026/02/05" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -59,16 +59,16 @@ process.name == "kubectl" and ( [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1613" -name = "Container and Resource Discovery" -reference = "https://attack.mitre.org/techniques/T1613/" - [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml index eee45ca1da0..0e0adaa499e 100644 --- a/rules_building_block/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -77,11 +77,33 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml index 332fd65a447..061062d0d88 100644 --- a/rules_building_block/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/08" integration = ["auditd_manager"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -79,6 +79,36 @@ id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1565" +name = "Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/" + +[[rule.threat.technique.subtechnique]] +id = "T1565.001" +name = "Stored Data Manipulation" +reference = "https://attack.mitre.org/techniques/T1565/001/" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] diff --git a/rules_building_block/discovery_net_share_discovery_winlog.toml b/rules_building_block/discovery_net_share_discovery_winlog.toml index 4d83aa90687..395fa517e79 100644 --- a/rules_building_block/discovery_net_share_discovery_winlog.toml +++ b/rules_building_block/discovery_net_share_discovery_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -44,26 +44,44 @@ sequence by user.name, source.port, source.ip with maxspan=15s [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1039" name = "Data from Network Shared Drive" reference = "https://attack.mitre.org/techniques/T1039/" - [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.002" +name = "SMB/Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1021/002/" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/rules_building_block/discovery_of_domain_groups.toml b/rules_building_block/discovery_of_domain_groups.toml index c64491dcc33..5a7e4e36c5f 100644 --- a/rules_building_block/discovery_of_domain_groups.toml +++ b/rules_building_block/discovery_of_domain_groups.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "auditd_manager", "crowdstrike"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -44,14 +44,18 @@ process where host.os.type == "linux" and event.type == "start" and event.action [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_posh_generic.toml b/rules_building_block/discovery_posh_generic.toml index d25af55f2b8..f6b29067589 100644 --- a/rules_building_block/discovery_posh_generic.toml +++ b/rules_building_block/discovery_posh_generic.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/06" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -201,6 +201,7 @@ value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Prot [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" @@ -211,6 +212,11 @@ id = "T1012" name = "Query Registry" reference = "https://attack.mitre.org/techniques/T1012/" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -222,9 +228,19 @@ name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" [[rule.threat.technique]] -id = "T1082" -name = "System Information Discovery" -reference = "https://attack.mitre.org/techniques/T1082/" +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.001" +name = "Local Groups" +reference = "https://attack.mitre.org/techniques/T1069/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [[rule.threat.technique]] id = "T1082" @@ -240,6 +256,7 @@ reference = "https://attack.mitre.org/techniques/T1083/" id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" + [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" @@ -250,7 +267,6 @@ id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" - [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" @@ -270,37 +286,36 @@ reference = "https://attack.mitre.org/techniques/T1482/" id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" + [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" - [[rule.threat.technique]] id = "T1615" name = "Group Policy Discovery" reference = "https://attack.mitre.org/techniques/T1615/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml index fe12f739745..c0d2b23ed0b 100644 --- a/rules_building_block/discovery_posh_password_policy.toml +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -142,34 +142,52 @@ not user.id : "S-1-5-18" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1201" name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.006" +name = "Group Policy Preferences" +reference = "https://attack.mitre.org/techniques/T1552/006/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/discovery_potential_memory_seeking_activity.toml b/rules_building_block/discovery_potential_memory_seeking_activity.toml index 1296b79194d..2640548bf2c 100644 --- a/rules_building_block/discovery_potential_memory_seeking_activity.toml +++ b/rules_building_block/discovery_potential_memory_seeking_activity.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/02/01" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -70,3 +70,16 @@ reference = "https://attack.mitre.org/techniques/T1057/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1005" +name = "Data from Local System" +reference = "https://attack.mitre.org/techniques/T1005/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" diff --git a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml index 49272de507f..8244aa0061e 100644 --- a/rules_building_block/discovery_remote_system_discovery_commands_windows.toml +++ b/rules_building_block/discovery_remote_system_discovery_commands_windows.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2020/12/04" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -93,6 +93,7 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" @@ -103,9 +104,17 @@ id = "T1018" name = "Remote System Discovery" reference = "https://attack.mitre.org/techniques/T1018/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique.subtechnique]] +id = "T1069.002" +name = "Domain Groups" +reference = "https://attack.mitre.org/techniques/T1069/002/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_system_network_connections.toml b/rules_building_block/discovery_system_network_connections.toml index b226cb4c1aa..0493b25927c 100644 --- a/rules_building_block/discovery_system_network_connections.toml +++ b/rules_building_block/discovery_system_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/11" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/02" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -45,6 +45,11 @@ not ( [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -54,7 +59,6 @@ reference = "https://attack.mitre.org/techniques/T1049/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable", "process.command_line", "host.id"] diff --git a/rules_building_block/discovery_system_service_discovery.toml b/rules_building_block/discovery_system_service_discovery.toml index 4810cc175fd..335cba1ca7b 100644 --- a/rules_building_block/discovery_system_service_discovery.toml +++ b/rules_building_block/discovery_system_service_discovery.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2025/12/17" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -70,14 +70,23 @@ process where host.os.type == "windows" and event.type == "start" and process.pa [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" reference = "https://attack.mitre.org/techniques/T1007/" +[[rule.threat.technique]] +id = "T1057" +name = "Process Discovery" +reference = "https://attack.mitre.org/techniques/T1057/" + +[[rule.threat.technique]] +id = "T1135" +name = "Network Share Discovery" +reference = "https://attack.mitre.org/techniques/T1135/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_system_time_discovery.toml b/rules_building_block/discovery_system_time_discovery.toml index 4966907e28e..10d34aea977 100644 --- a/rules_building_block/discovery_system_time_discovery.toml +++ b/rules_building_block/discovery_system_time_discovery.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/01/24" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -54,14 +54,18 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1124" name = "System Time Discovery" reference = "https://attack.mitre.org/techniques/T1124/" +[[rule.threat.technique]] +id = "T1614" +name = "System Location Discovery" +reference = "https://attack.mitre.org/techniques/T1614/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_win_network_connections.toml b/rules_building_block/discovery_win_network_connections.toml index dc1f9d25751..96787e5026b 100644 --- a/rules_building_block/discovery_win_network_connections.toml +++ b/rules_building_block/discovery_win_network_connections.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -52,6 +52,12 @@ process where event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" @@ -62,9 +68,12 @@ id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index c2deaf4223a..a1f44fc1912 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows", "endpoint", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -62,14 +62,36 @@ process.parent.executable : ( [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.003" +name = "Windows Command Shell" +reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/execution_github_new_event_action_for_pat.toml b/rules_building_block/execution_github_new_event_action_for_pat.toml index 481941c1220..948e55f7d53 100644 --- a/rules_building_block/execution_github_new_event_action_for_pat.toml +++ b/rules_building_block/execution_github_new_event_action_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,17 +37,52 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "event.action"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml index cb75d586d8b..a8e01f3fedc 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -38,17 +38,34 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.repo"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_user.toml b/rules_building_block/execution_github_new_repo_interaction_for_user.toml index ba867350a28..896a0dcf8b3 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_user.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_user.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,17 +37,34 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.repo"] diff --git a/rules_building_block/execution_github_repo_created.toml b/rules_building_block/execution_github_repo_created.toml index 0b5f2635db1..a7e65405fa1 100644 --- a/rules_building_block/execution_github_repo_created.toml +++ b/rules_building_block/execution_github_repo_created.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -35,14 +35,31 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1583" +name = "Acquire Infrastructure" +reference = "https://attack.mitre.org/techniques/T1583/" + +[[rule.threat.technique.subtechnique]] +id = "T1583.006" +name = "Web Services" +reference = "https://attack.mitre.org/techniques/T1583/006/" + +[rule.threat.tactic] +id = "TA0042" +name = "Resource Development" +reference = "https://attack.mitre.org/tactics/TA0042/" diff --git a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml index 33a822c8378..c048fbf59d9 100644 --- a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml +++ b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,17 +37,52 @@ github.repository_public:false [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1648" name = "Serverless Execution" reference = "https://attack.mitre.org/techniques/T1648/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1213" +name = "Data from Information Repositories" +reference = "https://attack.mitre.org/techniques/T1213/" + +[[rule.threat.technique.subtechnique]] +id = "T1213.003" +name = "Code Repositories" +reference = "https://attack.mitre.org/techniques/T1213/003/" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["github.repo", "github.actor_ip"] diff --git a/rules_building_block/execution_linux_segfault.toml b/rules_building_block/execution_linux_segfault.toml index e1d006ca679..b62d4a8eb19 100644 --- a/rules_building_block/execution_linux_segfault.toml +++ b/rules_building_block/execution_linux_segfault.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/26" integration = ["system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -58,8 +58,12 @@ host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml index 1c014464624..b6b5b084656 100644 --- a/rules_building_block/execution_settingcontent_ms_file_creation.toml +++ b/rules_building_block/execution_settingcontent_ms_file_creation.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -46,36 +46,54 @@ file where host.os.type == "windows" and event.type == "creation" and [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1203" +name = "Exploitation for Client Execution" +reference = "https://attack.mitre.org/techniques/T1203/" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" + [[rule.threat.technique.subtechnique]] id = "T1204.002" name = "Malicious File" reference = "https://attack.mitre.org/techniques/T1204/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" + [[rule.threat.technique.subtechnique]] id = "T1566.001" name = "Spearphishing Attachment" reference = "https://attack.mitre.org/techniques/T1566/001/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/execution_unsigned_service_executable.toml b/rules_building_block/execution_unsigned_service_executable.toml index 3a861c4ab50..46bb49f0048 100644 --- a/rules_building_block/execution_unsigned_service_executable.toml +++ b/rules_building_block/execution_unsigned_service_executable.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/14" integration = ["endpoint"] maturity = "production" -updated_date = "2026/02/19" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -42,39 +42,57 @@ not process.code_signature.status : (errorCode_endpoint* or "errorChaining") [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1569" name = "System Services" reference = "https://attack.mitre.org/techniques/T1569/" + [[rule.threat.technique.subtechnique]] id = "T1569.002" name = "Service Execution" reference = "https://attack.mitre.org/techniques/T1569/002/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1036" name = "Masquerading" reference = "https://attack.mitre.org/techniques/T1036/" + [[rule.threat.technique.subtechnique]] id = "T1036.001" name = "Invalid Code Signature" reference = "https://attack.mitre.org/techniques/T1036/001/" - - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "process.executable", "user.id"] diff --git a/rules_building_block/initial_access_aws_signin_token_created.toml b/rules_building_block/initial_access_aws_signin_token_created.toml index 2b8d3f7be02..46967d3819e 100644 --- a/rules_building_block/initial_access_aws_signin_token_created.toml +++ b/rules_building_block/initial_access_aws_signin_token_created.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/10/09" integration = ["aws"] maturity = "production" -updated_date = "2025/10/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -52,22 +52,39 @@ event.dataset: "aws.cloudtrail" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp", diff --git a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml index b441c6147ea..472759c3b15 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,22 +37,39 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.actor_ip"] diff --git a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml index 8ec411ba6d9..a0eadada079 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,22 +37,39 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - - [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" + +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["github.hashed_token", "github.user_agent"] diff --git a/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml b/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml index fc9e62e6053..f08ca02aa13 100644 --- a/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml +++ b/rules_building_block/initial_access_microsoft_defender_threat_intelligence_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/08/19" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -98,26 +98,46 @@ event.dataset: "o365.audit" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.001" +name = "Malicious Link" +reference = "https://attack.mitre.org/techniques/T1204/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/initial_access_microsoft_quarantine_hygiene_signal.toml b/rules_building_block/initial_access_microsoft_quarantine_hygiene_signal.toml index db599d22bf6..59d2b383cf2 100644 --- a/rules_building_block/initial_access_microsoft_quarantine_hygiene_signal.toml +++ b/rules_building_block/initial_access_microsoft_quarantine_hygiene_signal.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/20" integration = ["o365"] maturity = "production" -updated_date = "2026/02/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -52,11 +52,21 @@ event.dataset:o365.audit and event.code:(Quarantine or HygieneEvent or MailSubmi [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1566" name = "Phishing" reference = "https://attack.mitre.org/techniques/T1566/" +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" [rule.threat.tactic] id = "TA0001" diff --git a/rules_building_block/initial_access_new_okta_authentication_behavior.toml b/rules_building_block/initial_access_new_okta_authentication_behavior.toml index 3333bc42b4d..30cd77e12b3 100644 --- a/rules_building_block/initial_access_new_okta_authentication_behavior.toml +++ b/rules_building_block/initial_access_new_okta_authentication_behavior.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2026/01/08" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -76,8 +76,17 @@ event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules_building_block/initial_access_okta_admin_console_login_failure.toml b/rules_building_block/initial_access_okta_admin_console_login_failure.toml index 38c577a2179..212cbbd12bf 100644 --- a/rules_building_block/initial_access_okta_admin_console_login_failure.toml +++ b/rules_building_block/initial_access_okta_admin_console_login_failure.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2026/02/03" integration = ["okta"] maturity = "production" -updated_date = "2026/02/03" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -81,26 +81,31 @@ event.dataset: "okta.system" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml index 444d49ece7f..7021ddb7aa3 100644 --- a/rules_building_block/lateral_movement_posh_winrm_activity.toml +++ b/rules_building_block/lateral_movement_posh_winrm_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/12" integration = ["windows"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -83,36 +83,41 @@ case_insensitive = true value = "?:\\\\ExchangeServer\\\\bin*" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + [[rule.threat.technique.subtechnique]] id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1047" +name = "Windows Management Instrumentation" +reference = "https://attack.mitre.org/techniques/T1047/" + [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" + [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml index dbc9fce692a..880890a7609 100644 --- a/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml +++ b/rules_building_block/lateral_movement_unusual_process_sql_accounts.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/25" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -78,31 +78,57 @@ process where event.type == "start" and host.os.type == "windows" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1210" name = "Exploitation of Remote Services" reference = "https://attack.mitre.org/techniques/T1210/" - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" + [[rule.threat.technique.subtechnique]] id = "T1505.001" name = "SQL Stored Procedures" reference = "https://attack.mitre.org/techniques/T1505/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index 75ac81fc7f1..aa4f14d918c 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -51,31 +51,36 @@ process where host.os.type == "windows" and event.type == "start" and [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.003" +name = "Distributed Component Object Model" +reference = "https://attack.mitre.org/techniques/T1021/003/" + [[rule.threat.technique.subtechnique]] id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml index f4aaaef461d..aa24f20264c 100644 --- a/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml +++ b/rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -43,29 +43,33 @@ event.dataset: aws.cloudtrail and event.provider: "iam.amazonaws.com" [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" - [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + [[rule.threat.technique.subtechnique]] id = "T1098.003" name = "Additional Cloud Roles" reference = "https://attack.mitre.org/techniques/T1098/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/persistence_github_new_pat_for_user.toml b/rules_building_block/persistence_github_new_pat_for_user.toml index a65b0128137..88157c22dc0 100644 --- a/rules_building_block/persistence_github_new_pat_for_user.toml +++ b/rules_building_block/persistence_github_new_pat_for_user.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -37,22 +37,39 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.hashed_token"] diff --git a/rules_building_block/persistence_github_new_user_added_to_organization.toml b/rules_building_block/persistence_github_new_user_added_to_organization.toml index ebf6de67223..fbad7c11ca5 100644 --- a/rules_building_block/persistence_github_new_user_added_to_organization.toml +++ b/rules_building_block/persistence_github_new_user_added_to_organization.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -35,19 +35,23 @@ configuration where event.dataset == "github.audit" and event.action == "org.add [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" + [[rule.threat.technique.subtechnique]] id = "T1098.001" name = "Additional Cloud Credentials" reference = "https://attack.mitre.org/techniques/T1098/001/" - +[[rule.threat.technique.subtechnique]] +id = "T1098.003" +name = "Additional Cloud Roles" +reference = "https://attack.mitre.org/techniques/T1098/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules_building_block/persistence_web_server_potential_sql_injection.toml b/rules_building_block/persistence_web_server_potential_sql_injection.toml index a6611cbeb3b..43f2275ad19 100644 --- a/rules_building_block/persistence_web_server_potential_sql_injection.toml +++ b/rules_building_block/persistence_web_server_potential_sql_injection.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/11/19" integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"] maturity = "production" -updated_date = "2026/03/16" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -124,3 +124,16 @@ reference = "https://attack.mitre.org/techniques/T1595/003/" id = "TA0043" name = "Reconnaissance" reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules_building_block/persistence_web_server_sus_file_creation.toml b/rules_building_block/persistence_web_server_sus_file_creation.toml index 3141a9913dc..e004c973f9d 100644 --- a/rules_building_block/persistence_web_server_sus_file_creation.toml +++ b/rules_building_block/persistence_web_server_sus_file_creation.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2025/03/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/24" +updated_date = "2026/03/24" [rule] author = ["Elastic"] @@ -160,3 +160,16 @@ reference = "https://attack.mitre.org/techniques/T1071/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" diff --git a/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml index 39bc5a78dcd..9a83403a8e3 100644 --- a/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules_building_block/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2025/11/03" +updated_date = "2026/03/24" [rule] author = ["Austin Songer", "Elastic"] @@ -92,34 +92,52 @@ event.dataset: aws.cloudtrail [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" [rule.investigation_fields] field_names = [ "@timestamp",